Information Technology

A financial crime monitoring platform has just announced the results of its latest financial crime report. The report from  Feedzai analyzes 12B global transactions from January to March of this year in order to identify the latest fraud, banking, and consumer trends.

The top line results are … dispiriting.Bank fraud attacks have increased 159% over the past year and phone banking fraud has seen a 728% increase. Over 90% of fraud attacks occurred online, and California, where I live, won the unwelcome distinction as the top state for fraud. Take that, New York.The jumps follow a post-pandemic logic. Coming out of lockdown, people are starting to spend more money locally and internationally. The time covered by the report saw a 410% increase in international transactions. Transaction volumes are increasing back to pre-pandemic levels, and fraud has followed close behind. At the same time, an increased reliance on digital services during the pandemic has placed consumers more at risk for online and phone fraud, particularly among consumers who previously preferred to shop in stores and may be less digitally savvy.”The world may have paused in 2020, but financial criminals did not,” says Jaime Ferreira, Senior Director of Global Data Science at Feedzai. “Reliance on digital forms of shopping, banking, and payments actually made it easier for fraudsters to attack more people, more quickly. As fewer consumers feel the need to walk into a bank branch or a mall we need to adapt financial services and payments to protect consumers. And as consumers, we need to continue to be vigilant and educate ourselves on how to stay safe.”

ZDNet Recommends

According to the report, banking is the primary channel for fraudsters, whether online, in-person, or by phone. I recently listed an item on Craigslist and was met with a barrage of scams, some obvious, some rather elegant, all directed at perpetrating some form of rip-off, including attempting to access my bank account. With many bank branches closed or operating during limited hours during the pandemic, banking has shifted primarily online and over the phone, the perfect sandboxes for cheats.Following California, the states with the highest fraud were Florida, Washington, Arkansas, and New York. Interestingly, Android devices see 1.9 times more fraud than iOS devices, despite having only half the transaction volume of iOS. The report suggests Apple’s tighter control of apps on the App Store makes it more difficult for fraudsters to infiltrate the platform.

All of this speaks to a need for greater vigilance than ever, which may be a tough message to sell as parts of the world that believe the worst of the pandemic is behind them cast a collective sigh of relief and shake off the dust heading into summer. The Feedzai Financial Crime Report Q2 2021 can be found in its entirety here. More

Google is expanding its Enhanced Safe Browsing feature in Chrome 91 to protect users when they’re installing a new extension from the Chrome Web Store. Chrome will start displaying a new dialogue warning users to proceed with caution if an extension is not trusted by Enhanced Safe Browsing. 

Google rolled out Enhanced Safe Browsing last year as an opt-in protection against phishing and malware sites, to catch instances where it missed detecting these sites before users visited them. The feature used Chrome to share more security data with the service to check dodgy URLs in real time to determine whether a site is a phishing site.SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)Now Google is using Enhanced Safe Browsing to improve its management of developers who publish extensions to the Chrome Web Store. This could create obstacles for extension developers who are new to the Chrome Web Store, as it will take a few months of abiding by Google’s policies to be considered trusted.”Any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing. For new developers, it will take at least a few months of respecting these conditions to become trusted,” Badr Salmi from Google Safe Browsing and Varun Khaneja from Chrome Security explain in a blogpost. “Eventually, we strive for all developers with compliant extensions to reach this status upon meeting these criteria. Today, this represents nearly 75% of all extensions in the Chrome Web Store and we expect this number to keep growing as new developers become trusted.”

The new framework for trusted developers follows Google’s year-long effort to clean up the Chrome Web Store from scammy and phishing extensions. Even after a crackdown last August, millions of users installed 28 malicious extensions.  Chrome users can opt into Enhanced Safe Browsing by going to Settings and clicking through Privacy and Security settings > Security > and then checking ‘Enhanced protection’ mode under Safe Browsing. Users should note that this does allow the service to share data that’s temporarily linked to a Google account if the user is signed into Chrome. But Google claims that Chrome users who do enable Enhanced Safe Browsing are successfully phished 35% less than other users, so there may be a good security reason to enable it.Google is also bolstering download protection in Enhanced Safe Browsing to improve protections when downloading potentially risky files from the web. SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingUsers will get a warning when it detects a suspicious file and suggests the user sends it to be scanned for further analysis. A first check is run through the standard Google Safe Browsing services.If you choose to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis classifiers in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will display a warning. As always, you can bypass the warning and open the file without scanning. Uploaded files are deleted from Safe Browsing a short time after scanning.

Google I/O 2021 More

With more of our personal information being sent and stored via the internet, fraud and identity theft continue to rise. There are plenty of great options available for reasonable prices that can help to protect your identity, personal information, and credit score.

Middle-of-the-road option in terms of price

Pricing:  Individual plans ranging from $7.50 to $25 per month and family plans from $12.50 to $33.33 per month.While perhaps a bit lacking in its monitoring services, Aura’s Identity Guard is one of the most comprehensive in identity theft protection. Using an IBM Watson artificial intelligence program, Identity Guard scans the dark web for personal information such as social security numbers or banking information. This level of protection is the best available, but credit monitoring is not as robust. Identity Guard monitors three credit bureaus, but credit reports are only available once a year, and there is no opt-in for fraud alerts. This is a middle-of-the-road option in terms of price.Pros:Anti-phishing mobile app.Bank account and investment account monitoring.Customer service is rated A+ with BBB.IBM Watson artificial intelligence scanning program.Identity theft insurance up to $1 million.Monitors all three credit bureaus.Offers safe browsing tools to protect online shopping, banking, or bill paying.Reduces telemarketing calls, junk mail, and phishing emails.Social insight reports.Tax refund fraud alerts.Three different plans provide flexibility.Cons:Credit reports only once per year.Does not offer a specific computer tool package.No fraud alert with credit bureaus.No “limited power of attorney” for recovery services.No money-back guarantee.Pricey mid-tier and upper-tier plans.Single bureau credit score.

View Now at Identity Guard

Decent basic and cheaper option

Pricing: Ranging between $9.99 and $17.99 per month for individual plans. Identity Force also offers custom family plans and enterprise plans to businesses.Depending on which option you choose, Identity Force can either be very high on this list or very low. The basic and cheaper option is decent in terms of identity theft protection, but its credit monitoring feature doesn’t offer reports, scores, or a broad monitoring scope. However, the more expensive plan is excellent and could reach the best on this list. This is one of the more pricey options, but an annual subscription and family plan would help to lower the overall price. Pros:Access to credit report fraud assistance.Credit freeze button.Credit score simulator with the higher plan.Customer service is rated A+ with BBB.Dark web monitoring.Identity theft insurance up to $1 million.Junk mail opt-out.Offers a VPN.Quarterly credit reports.Social media identity monitoring is in the basic plan.Two-factor authentication.Two months free on annual plans.Cons:Above-average price.Best features are limited to a more expensive plan.You can’t contact customer support through the iOS app.Information like IP address, web beacons, and browser fingerprinting is collected during the registration.The lower tier plan doesn’t offer credit monitoring for all three bureaus.No refunds for cancelling the service.Only two plan options.Subpar mobile app.

View Now at Identity Force

Best way to cover a large family

Pricing: Individual plans range from $13.95 to $17.95 a month. The family plan ranges from $19.95 to $32.95 and is where the real value lies.If you are looking for the best way to cover a large family, this is probably the best option. By offering coverage for 10 people in their family plan, IDShield has the best family plan. Individual plans lack computer protections such as VPN or anti-virus software. For families, there’s no better option.  Pros:Alerts you whenever sex offenders move to your area.Bank accounts monitored.Customer service rated as A+ with BBB.The family plan is available for up to 10 people.Identity theft insurance up to $5 million.Monitors all three credit bureaus with 12-month credit score tracking.Offers additional educational resources.Quarterly credit reports.Will assign a private investigator to help restore a stolen identity.Cons:Above average price for individual plans.Alerts must be activated to receive them.Confusing setup.Limited plan levels and options.No computer protections.No credit reports.No credit simulation.No 401(k) or retirement account monitoring.No VPN or anti-virus software.Single bureau credit score.

View Now at ID Shield

LifeLock’s identity fraud protections are among the very best

Pricing: Basic plans start at $8.99 a month and provide “good enough” internet security, but the best protection comes with the more expensive plans that cap out at $34.99 per month.It can be pretty hard to beat Norton when it comes to internet security, but LifeLock is an excellent alternative. LifeLock’s identity fraud protections are among the very best. LifeLock’s identity theft insurance is some of the best on the market, but credit monitoring is among the worst on this list. Most egregiously, LifeLock doesn’t have a family plan. Instead, each child must have their own junior plan, which is about $5.99 extra per child every month. Pros:All plans provide identity theft insurance.Constant dark web scans for personal data.Includes VPN.Insurance includes stolen funds reimbursement and personal expense compensation.Norton 360 software is available with some plans, excellent protection against viruses, spyware, and malware for up to five different devices.Real-time fraud alerts are available by text, phone, and email.60-day money-back guarantee with the annual plan.Three different plans available: Standard, Advantage, and Ultimate Plus.Tracks social security number.Up to $1 million for lawyers and experts, $25,000 to $1 million for stolen funds and personal expense compensation.Cons:Above average price.Coverage for children is an additional $5.99 for each child per month.Credit file can only be locked with one bureau, not all three.Must meet credit requirement to be eligible for credit protection and monitoring.No credit simulator.No family plan offered with LifeLock. Must purchase an additional junior plan for children.The standard plan comes with less identity theft insurance.The standard plan lacks alerts such as bank account and credit card activity.Standard and Advantage plans only monitor one credit bureau.

View Now at LifeLock

There are better options available

Pricing: The plans range in price from $9.99 to $24.99 monthly, so if you are only looking for very certain coverage, you could find a good one for cheap. PrivacyGuard essentially offers an identity theft protection plan, a credit reporting plan, and a plan that includes both. So in that way, it’s good for giving you exactly what you want, but some of the plan options severely lack what some may consider crucial features. However, there are better options available on this list for a similar price when it comes to comprehensive coverage.Pros:All three credit bureaus monitored with some plans.Antivirus software.Customer service rating of A+ with BBB.Monthly blended credit reports are available with some plans.New users can try any plan for two weeks for just $1.Three different options are available with different options.Up to $1 million identity theft insurance with some plans.Cons:No bank account monitoring.No family plans offered.Social network monitoring not provided.Some plans have glaring gaps in credit or identity monitoring on their own.

View Now at PrivacyGuard

What do identity theft protection services do?

These services will monitor websites and various databases for any signs of your personal information such as social security number, driver’s license number, bank account number, credit card number, etc. If any of this information is found online anywhere, it could be used in many different ways to steal money from you. These protection services will typically alert you and inform you of what you should do to prevent any future issues or help you to recover from theft. 

What are the signs of identity theft?

The most common signs associated with identity theft are collection calls or credit reports related to accounts you didn’t open, unexpectedly being denied a loan or credit card, and bills for accounts you didn’t open. It can take a long time before seeing evidence that your identity has been stolen and will come quickly and surprisingly. 

What should I look for in an identity theft protection service?

There are several things on the checklist that you should adhere to when searching for an identity theft protection service. Arguably the most important aspects when comparing one to the other would be: their monitoring and how extensive it goes, their alerts and how quickly you will be notified of fraud attempts, and recovery and how much insurance is offered and additional help and services.

Which is the right service for you?

Overall the best plan for protecting your identity and monitoring your credit as an individual is probably Identity Guard. While its credit monitoring is a little lacking, it comes through with its identity theft protection. However, if you are looking to cover your entire family, then you may want to look into IDShield, particularly if you have a large family that you want to protect. 

ZDNet Recommends More

The Australian Bureau of Statistics’ (ABS) latest Business Characteristics Survey (BCS) has revealed there were four main factors that prevented or limited businesses from using IT during the 2019-20 financial year.These factors were lack of skilled persons within the business, unsuitable internet speed, insufficient knowledge of IT, and uncertainty around the cost of IT and its benefits. It was the first time the annual survey questioned Australian businesses about this. Another first-time question that was introduced to the survey looked at what type of IT businesses used during the financial year. According to the survey, cloud technology was the most popular type of IT technology, which was used by 57% of all businesses, followed by cybersecurity software with 26%. Down at the bottom of that list was 3D printing and blockchain technology.In terms of cloud usage, 55% of all businesses reported using paid cloud computing in 2019-20, which is 13 percentage points higher than the 42% recorded in 2017-18. The use of paid cloud computing increased with each consecutive employment size category, ABS said, pointing out that 81% of businesses with 200 or more persons employed reported using this service.The survey also showed that 12% of innovation-active businesses — defined as “businesses that had undertaken any innovative activity” — reported using Internet of Things (IoT) technology compared to 3% of non innovation-active businesses. Similarly, 9% of innovation-active businesses said they used data analytics versus the 2% of non innovation-active businesses.Unsurprisingly, 95% of businesses with 200 or more persons employed were most likely to report using one or more form of IT.

When the ABS surveyed businesses about cyber attacks, 8% saw a decline in the number of online security incidents and breaches during the full year, compared with 11% in 2017-18 and 16% in 2015-16. In 2019-20, 20% of all businesses reported having upgraded their cybersecurity software, standards, or protocols as part of their management practices.The ABS also took the opportunity to note that the BCS is currently undergoing a “redevelopment process” to “capture more detailed information on the two principal topics” of innovation and business use of IT.The redeveloped BCS innovation module will be a standalone survey, while the collection of business use of IT and other topics will be combined in another survey, both of which will run every two years and conducted on alternating reference years, ABS said. The first innovation-focused collection will cover 2020-21, followed by the business use of IT survey in 2021-22. Related Coverage More

The minister responsible for the National Disability Insurance Scheme Linda Reynolds has apologised after a breach was committed against a woman who had experienced domestic violence.It was reported Friday morning that the National Disability Insurance Agency (NDIA) gave the private details of the woman and her children to the perpetrator who was recently released from jail.As detailed during Senate Estimates, the information included the location of the children’s school and the names of professionals working with one of the children. “The first thing I’d say is I unreservedly apologise for that, it should not have happened,” Reynolds said. “I’ve asked the NDIA for a full report on that. My first priority, and the NDIA’s first priority, is the safety and the privacy of the woman and the family concerned, and then also to work out how this happened and to make sure that it doesn’t happen again.”Also offering an apology to the victim was NDIA CEO Martin Hoffman, who said the investigation into what happened was already underway.”I can confirm that alerts were properly placed on the CRM record of this participant, the child, with the mother, in terms of the contact arrangements that should be in place. I can also confirm that the father had properly been removed from the child representative field, which is a field that drives the automated mail out of plan materials,” he explained.”I can also confirm that the information supplied was not the actual address of the family, but … did include location details, basically the suburb, and other material.

“I’ve asked for a very rapid and thorough review as to what happened in this case, given that the actions in the CRM of the alert and the removal of the father from the child representative field had been done at the appropriate time.”Hoffman said he was alerted to the breach on Wednesday; Reynolds said she became aware on Friday morning.NDIA officials were probed on how they became aware of the incident, specifically, if it was in response to a media enquiry.”I didn’t get it through that channel, there was one at the same time, but we also had it escalated through the national contact centre,” Hoffman said.Labor Senator Jenny McAllister quoted the victim as saying in the initial media report that her pleas to the NDIA “fell on deaf ears”, as she was asked to send an email after calling to report the incident. She asked Hoffman if he was satisfied with the actions of his agency in the aftermath.”I’m clearly not satisfied that the communication, through the mail out of plan materials, included information that should not have been provided to the father, absolutely,” he said. “I am satisfied that the agency has very actively engaged repeatedly with the mother and the family in terms of rapid plan variations, additional support, engagement with other agencies in Victoria, to ensure the coordination of support, be it housing or safety, etc.”That activity has been extensive and ongoing, and is continuing today.”All I know, is that we’re proceeding to, as I said, understand fully the systems issues here, noting, as I said, that the right alerts and the right removal from the child rep field were done at the appropriate time.”Hoffman also said the NDIA has “very clear” approaches in terms of the identification and approval requirements for people to gain access to information about participants and their plans, through both the national contact centre and in-branch.”This is a very complicated area, there are often disputes, claims and counterclaims are made, timing of receipt of court orders, intervention orders, etc goes to this,” he said. “But this is an area that we do have policy and process to try and maintain the security of that information.”The apology from Reynolds comes merely 24 hours after Minister for Families and Social Services Anne Ruston apologised to a survivor who had their personal information breached when the details of their application to the National Redress Scheme were uploaded directly to another person’s myGov account.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527SEE ALSOServices Australia penalised for breaching privacy of a vulnerable customerThe agency’s process for updating personal information in a domestic violence situation was not only alarming, but was found to be a breach of privacy by the Information Commissioner, too.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Minister apologises for myGov breach of Redress Scheme survivor’s informationMinister Anne Ruston has apologised to a survivor who had her application to Australia’s National Redress Scheme shared with another survivor via the government’s myGov portal. More

The Supreme Court ruled against the government in a case centered around the Computer Fraud and Abuse Act (CFAA) on Thursday, writing that the Justice Department’s interpretation of the law was too broad and effectively attached “criminal penalties to a breathtaking amount of commonplace computer activity.”The 6-3 decision put a limit on how the federal government can use the law to prosecute those who unlawfully access a system. In her majority opinion, Justice Amy Coney Barrett wrote that Nathan Van Buren — a police officer from Cummings, Georgia who was convicted for taking a bribe to look up a license plate — did not violate the CFAA because as an officer he was given full access to the license plate database. 

ZDNet Recommends

Barrett was joined by Justices Sotomayor, Gorsuch, Kagan, Kavanaugh and Breyer, while Thomas, Alito and Chief Justice Roberts dissented. Barrett argued that by saying Van Buren exceeded his “authorized access” as a police officer, the government was criminalizing “every violation of a computer-use policy.” If that was the case, Barrett said it would mean that “millions of otherwise law-abiding citizens are criminals.” Lawyers and legal experts had a wide range of responses to the ruling depending on the client base. The ACLU praised the decision, listing specific instances where the expanded reading of the law criminalized everyday activity and research.  Esha Bhandari, deputy director of the ACLU’s Speech, Privacy, and Technology Project, called it an “important victory for civil liberties and civil rights enforcement in the digital age,” adding that it will “allow researchers and journalists to use common investigative techniques online without fear of CFAA liability.” Erez Liebermann, a partner at Linklaters, said companies and government entities now need to take extra steps to place technological barriers around data in their companies if they want to restrict access to employees.  While this will add costs, Liebermann said it may make data more secure, both from internal users and hackers roaming through a company’s system. 

“The Court’s opinion removes a strong criminal deterrent. Employees who might have shied away from theft of internal data because of the fear of prosecution or civil action have caught a break,” Liebermann explained. “Terms of Use and Authorized Use Policies, which already had little teeth given that most people don’t read them, just had a few more teeth knocked out. It’s doubtful that they could form the basis of a criminal prosecution or civil action.”Mark Langer, a privacy associate with Aleada, said critics and activists have fought against the law for years because the CFAA’s current structure gives the government broad authority to prosecute and then rely on prosecutorial discretion to ensure that this authority is not abused. “Having the Supreme Court push back on this sweeping interpretation of the CFAA is a huge step for reining in the CFAA’s scope. Solving this problem goes far beyond the scope and facts of one case, and it is the job for a legislature, not a judge. Hopefully this case will provide momentum to Congress’s efforts to bring these laws into the 21st century,” Langer said. Epstein Becker Green lawyer Aime Dempsey explained that since the law was passed in the 1980s, it was used to prosecute hackers and as a way for companies to sue certain employees for damages and other penalties.  Dempsey echoed Liebermann’s sentiment, telling ZDNet that employers needed to place more stringent limits on employee access now that the Supreme Court has ruled that even if unlawful access may violate company policy, it would not violate the CFAA.  “If a company has a policy that someone will get fired if they misuse information, this decision wouldn’t change that at all. It would only change the access to this particular statute of the CFAA criminally or civilly,” Dempsey said. Alan Brill, senior managing director in the cyber risk practice of consultancy firm Kroll, said that the ruling “isn’t giving people a free pass to steal or misuse data because there are other laws to use in certain cases.”Companies will need to look at how their systems are built and whether they are giving too many employees access to too much information, he said.  “I would probably call together the general counsel, the HR manager, the IT manager and the compliance officer and I would look at what our organization’s rules are for use and misuse of data. I would want to make sure that they were very clearly spelled out and I would want to make sure that they were spelled out appropriately in light of the other laws and labor laws,” Brill explained.  Rules and penalties should be explained and sketched out in compliance with collective bargaining agreements, Brill added, noting that some companies should consider having employees sign updated non-disclosure agreements or computer use agreements. “This is a multi-dimensional problem that needs a well-thought-out, multi-dimensional answer,” Brill said. “But if we stick with the basics, giving people access to what they need and not giving them access to what they don’t need, we’re going a long way to immunizing ourselves from the effects of this decision.” More

The US Supreme Court has ruled that a police officer who obtained information from a licence database for a civilian, in exchange for money, did not violate federal hacking laws. The ruling clarifies the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) and what kind of conduct can be prosecuted. The CFAA became law after the US government found cybercrimes and hacking were not sufficiently addressed by legislation at the time. The case arose after the Federal Bureau of Investigation caught former Georgia police officer, Nathan Van Buren, using his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. When making the search, Van Buren used his own, valid credentials. After Van Buren was first charged, a US District Court convicted him of two charges: Violating police department policy of obtaining database information for a personal purpose and violating the CFAA by using a computer network in a way contrary to his job. Van Buren appealed those charges, however, which eventually brought the case to the US Supreme Court and its judgment. At the Supreme Court, the justices ruled 6-3 in favour of Van Buren as he had access to the database as part of his valid credentials. When making that ruling, the justices framed their judgment on whether Van Buren “exceeded his authorised access” when accessing the license plate database.

“In the computing context, ‘access’ references the act of entering a computer ‘system itself’ or a particular ‘part of a computer system,’ such as files, folders, or databases,” Justice Amy Coney Barrett said, who wrote the majority opinion. “It is thus consistent with that meaning to equate ‘exceed[ing] authorised access’ with the act of entering a part of the system to which a computer user lacks access privileges.” The three judges who dissented against the decision, Justices Clarence Thomas, Samuel Alito, and John Roberts, believed that Van Buren did breach the hacking laws as he was forbidden from using the computer to obtain the licence information. “Van Buren’s conduct was legal only if he was entitled to obtain that specific license-plate information by using his admittedly authorised access to the database. He was not. A person is entitled to do something only if he has a ‘right’ to do it,” Thomas wrote in his dissenting opinion. In making the dissent, Thomas analogised Van Buren’s conduct to an employee pulling an alarm for a self-motivated reason or a valet accessing a patron’s car and then proceeding to go on a joyride. “An employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared,” Thomas wrote. With the judgment, the CFAA charge against Van Buren has been dropped, while the charge for violating department policy remains intact. Related Coverage More

Japanese conglomerate Fujifilm announced that it is suffering from a ransomware attack, becoming the latest victim of cyberattackers who in the last week alone have crippled everything from the largest meat processor in the US to the ferry system serving Martha’s Vineyard.In a statement, the company said it was investigating unauthorized access to its servers and had no choice but to shut down its network. On Tuesday evening, the company said it became aware that it was being hit with ransomware and spent the last two days trying to “determine the extent and the scale of the issue.”The photography and medical imaging giant said the attack had affected all of its external communications, including email and phone services. BleepingComputer spoke with Advanced Intel CEO Vitali Kremez, who said Fujifilm had been hit with the Qbot trojan in May and added that the people behind Qbot have been working with the REvil ransomware gang as of late.REvil caused outrage again this weekend after they were implicated in a ransomware attack on JBS, one of the world’s largest meat processors and a company providing about one fourth of the beef and pork in the US. They previously shut down Colonial Pipeline, causing gas shortages on the East Coast and national outrage that sparked more stringent cybersecurity guidelines for pipelines.Due to the increasing number of attacks, The White House released an open letter on Thursday titled, “What We Urge You To Do To Protect Against The Threat of Ransomware” from Anne Neuberger, deputy assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology. Despite the startling increase in ransomware attacks in the last few months, Neuberger touted the White House’s efforts to deal with the crisis, noting that the US government is currently “disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds.”But she added that it was important for the private sector to do its part in addressing the cybersecurity posture of their organizations. 

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger said. She urged business leaders to “immediately convene their leadership teams to discuss the ransomware threat” and enhance security measures as well as continuity plans in case they are attacked. Neuberger included a list of best practices and suggestions that ranged from the creation of data backups to prompt system patches, third party cybersecurity reviews, and segmented networks. “Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany and France, to pipelines in the United States and banks in the UK,” Neuberger wrote. “The US Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility.”Setu Kulkarni, vice president of strategy at WhiteHat Security, said the two pieces of advice that stood out from the letter are the incident response testing and pen testing. Kulkarni explained that often organizations treat incident response plans like business continuity plans, only creating them for compliance. “We need to make a change here to treat the incident response plan much like a fire drill or an earthquake drill so that when the inevitable breach happens, the entire organization is clear on the first few steps and that will give them the time they need to counter the threat effectively rather than scrambling at the nth minute,” Kulkarni said. “The memo should be updated to further emphasize penetration testing of production systems in a continuous manner — this is important because while the production systems may not change that often, the adversary and the threat landscape are fast evolving in an attempt to breach these production systems.” Focusing on continuous production security testing of web, mobile and API applications, Kulkarni added, should be non-negotiable. But Kulkarni said the memo fell short because it does not create an environment of incentives and disincentives for organizations to double down on these security fundamentals. Tony Cole, CTO of Attivo Networks and a former executive at FireEye, McAfee, and Symantec, told ZDNet that there were a variety of reasons behind the recent spate of ransomware attacks. Enterprises have an over reliance on vendors and in general, organizations continue to add digital tools to their operations which increase the complexity of work for cybersecurity officials.   Cole, who previously worked as a cyber operator for the US Army, added that there is a general lack of cyber defenders with the needed skill sets to keep organizations safe as well as systems that prevent privilege escalation. “No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts,” Cole said. “Organizations must understand that they can’t prevent all attacks.” Dozens of cybersecurity experts told ZDNet that the letter was an appropriate move considering the current landscape of cyberthreats. Many, like Egnyte cybersecurity evangelist Neil Jones, said there has been a marked shift from simple data theft and cyber-espionage to attacks specifically designed to cripple critical services and business productivity. Others echoed Neuberger’s letter in saying that companies now need to prepare for when, not if, they are hit with ransomware. Tom Garrubba, CISO of Shared Assessments, questioned why critical infrastructure organizations are not being held more accountable and said it was time for certain enterprises to be held to a higher level of legislative scrutiny, like financial institutions and even retail enterprises.”Perhaps it’s time to bring in the executives and board members of these breached organizations to publicly explain these breaches and how their organizations are addressing the IT risks in the current environment,” Garrubba explained. “Every C-Suite and BoD needs to be similarly prepared to answer these questions.”Sophos senior security advisor John Shier noted that the financial incentives of ransomware attacks need to be removed in order to address the problem. Shier said attackers want to hit where it hurts the most to increase their likelihood of a large payout, but most ransomware attacks aren’t targeted scenarios, as seen with the Colonial Pipeline attack. “Attackers are opportunistic. Once they realize they’ve secured a potentially lucrative victim, they go all in — that’s when they become targeted attacks,” he added, explaining that while no defense can be bulletproof, putting up tougher barriers will force cybercriminals to move on to easier targets.  While many experts said it was important to have plans in place for how to recover from an attack, Gurucul CEO Saryu Nayyar said organizations had to implement defenses that could reduce their attack surface and detect ransomware attacks in real-time. “The technology is available. It’s just a matter of putting it in place and working diligently to identify and derail cybercriminals and malicious insiders before they derail you,” Nayyar told ZDNet.But even with a slate of cybersecurity tools available, many IT teams and CISOs do not have the full buy-in from the leaders of their organization. The letter may help justify requests for bigger cybersecurity budgets and more help, according to Digital Shadows CISO Rick Holland. “One comment that stands out to me from Neuberger’s memo is the need for a ‘skilled, empowered security team.’ We so often focus on technology to solve our problems,” Holland said. “Focus on your teams first; have dedicated training and development programs.” Doug Britton, CEO of Haystack Solutions, said that while the recommendations from the White House were accurate and worthwhile, the biggest problem is finding a team able to implement the measures. “Unfortunately, with hundreds of thousands of cyber positions unfilled in the US alone, the million-pound gorilla in the room is, ‘where are the qualified cyber practitioners that can expertly implement the recommendations?'” Britton said.  “Ideally, the national strategy will also rethink the underlying economics of identifying the potential talent, decreasing the cost of training the talent, and retaining that talent in industry.”Kulkarni echoed those remarks, noting that the need for a skilled security team was one area where the gap is the largest between aspiration and reality.”There are just not enough security personnel in the world to staff security teams in organizations today,” Kulkarni said. “What is needed is a combinatorial approach: accelerated and scaled-up security training in the country for security professionals plus training the general population about avoiding risky online behavior.” More