NordVPN Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

NordVPN

5 innovative cybersecurity training methods to try in 2021

960 640 Guest Post

By Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams

As much as 88% of data breaches are caused by human error, but only 43% of workers admit having made mistakes that compromised cybersecurity. In the past year a third of the breaches incorporated social engineering techniques and the cost of a breach caused by a human error averaged to $3.33 million

To mitigate the risk, enterprises develop complex cybersecurity strategies and action plans, yet they are insufficient unless acknowledged by every member of their organization. Half of the Chief Information Security Officers (CISOs) plan to extend cybersecurity and privacy into all business decisions and that makes it every employee’s concern. 

With the ever-changing and evolving digital threats, maintaining cyber resistance is no longer limited to IT and security officers and depends on every member of the organization. Constant training is a way to build the team’s resilience against threats, yet it is not uncommon for them to turn into dull PowerPoint sessions, after which few remember the safety measures they should take. The problem is amplified by the workforce operating from home and not subscribing to security policies of the company.

CISOs and other stakeholders can grab employees’ attention by changing the methods of the regular cybersecurity training. Those who found training to be very interesting were 13 times more likely to change the way they think about cyber threats and protection against them. Therefore, organizations should seek memorable, entertaining and accessible ways to talk about complicated security matters.

5 ways to make cybersecurity training more attractive

Gamify it. Dull figures slide after slide, myriads of ‘dos and don’ts’ along with knotty safety procedures make the process lethargic. Quizzes, games, prizes and quality time with colleagues will enhance enjoyment and learning. Interactive activities boost engagement and thus yield better results when it comes to teaching staff about cybersecurity. 

Engage in friendly competition. The key element of the gamification is competition. However,  putting a prompt question within the video lesson or offering ‘innovative’ content is not enough. People are engaged when they have an incentive, be it a prize or pride. Companies should organize monthly, quarterly or yearly competitions to keep a workforce constantly aware of new threats and how to tackle them.

Make it rewarding. Turn the right answer into a badge, a discovered vulnerability into a star, and a year without an incident into a holiday bonus. People expect feedback while participating in a competition, and the reward system is the optimal way to do it. Instead of giving an opinion to everybody in private, security and IT professionals can award the achievements. They also help to track the progress of each employee and take the precautions if necessary.

Turn it into a team effort. Staying protected from breaches and attacks is everyone’s interest. Thus employees should be encouraged to work in teams and solve riddles with their colleagues. In a cybersecurity workshop, for instance, employees can be asked to craft a phishing email. This encourages them to find out more about this criminal technique, to look at the examples of it and thus recognize them at the first glance next time. 

Be understood. For information security professionals, IT and cybersecurity jargon is a native language.  Yet for accountants, marketers and many others it’s just a meaningless jabber. Make sure to speak clearly and to explain every term in plain language so the relative layman understands and remembers.

These tips also apply when teaching the staff how to use various cybersecurity tools, such as cloud services or VPNs. With people working remotely, many of them face the need to use two-factor authentication or secure connection for the first time as it was readily available by default at their usual workstations. Now they have to care for their and their company’s protection themselves. 

Cybersecurity is no longer a thing only information security and IT departments care about. As many workplaces rely solely on digital solutions which are used by the entire workforce, staying protected against cyberattacks requires everyone’s joint effort. The main notions of data security must be conveyed in an appealing manner.

Ecommerce explosion ‘opens cyber attack floodgates’

960 640 Stuart O'Brien

According to the Global Information Security Survey by Ernst and Young, customer information is the most valuable type of data for most attackers.

The threat to cybersecurity and privacy is increasing: about 6 in 10 organizations (59%) have faced a significant incident in the past 12 months, and 48% of executive boards believe that cyber attacks and data breaches will more than moderately impact their business in the next 12 months. 

Data breaches involving payment fraud and other issues related to online security have skyrocketed over the past few years, coinciding with the growth of the e-commerce industry, especially during the COVID-19 mandated quarantine regime. Measures to protect businesses and customers against cyber threats have never been more important.

One challenge that has grown for e-commerce businesses is that of open-source software vulnerabilities, according to NordVPN. Open-source software uses code that anyone can view, modify, or enhance. And while it has been hugely valuable to e-commerce businesses, it also carries a number of cybersecurity challenges.

‘’Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites. Add in the changes COVID-19 has brought, and this problem has intensified a lot. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks,’’ said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.

Another issue businesses are facing is the rise in attacks on outdated or fake plugins. When used on companies’ websites, these compromised plugins can lead to the spread of malware. One such issue is e-skimming — an attack where malware infects online checkout pages to steal payment and personal information of shoppers. E-skimming is getting more common — companies both large and small have been hit by e-skimming attacks in the past two years, and that includes big names like Macy’s, Puma, and Ticketmaster. 

Other security threats to e-commerce sites include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).

E-commerce websites hold a lot of valuable data about their customers, and that makes business owners a target. Customers put a lot of trust in the merchants they shop with, providing personal data and sensitive payment information with every purchase. Earning consumer trust is critical to a continued relationship. Once lost, earning it back is really hard.

Businesses are also required to meet various compliance standards, and fines can be levied if those are not met. In case of a breach, there is a whole host of other problems to address: forensic investigation, data recovery services, credit monitoring for impacted parties, and liability insurance to help mitigate this financial risk, to name just a few.E-commerce security is never a done deal. Threats and hacking methodologies evolve at an alarming rate, so maintaining awareness and a security-focused mindset is the key to staying secure. Layering multiple solutions for business security is one of the best ways to keep an online business safe against cyber attacks.

‘’Companies can start with their firewalls (including web application firewalls), making sure the connection is secure, ensuring that passwords are strong, implementing multi-factor authentication, using intrusion detection systems, and constantly monitoring and updating web platforms,’’ the NordVPN Teams expert added.

DDoS attacks ‘sell for as low as $10 per hour’

960 640 Stuart O'Brien

By Juta Gurinaviciute, Chief Technology Officer, NordVPN Teams

The recently released Dark Web Price Index 2020 reveals the current average prices for a selection of cybercrime products and services available “on demand.” A basic targeted malware attack in Europe or the US costs $300, while a targeted distributed denial-of-service (DDoS) attack goes for as little as $10 per hour or $60 for 24 hours. The “salespeople” even offer volume discounts, making such attacks the go-to weapon for online extortion.

According to Nexusguard’s Q1 2020 Threat Report, in the first quarter this year, DDoS attacks increased by more than 278% compared to Q1 2019, and by more than 542% compared to the previous quarter. 

According to Gartner research, the average cost of downtime for a small-to-midsize business is $5,600 per minute. The World Economic Forum’s “Global Risks Report 2020” reveals that, in the United States, the chances of catching and prosecuting a cybercrime actor are almost nil (0.05%). At the same time, the impact on the targeted companies’ business is massive. IBM’s “Cost of a Data Breach Report” pegs the average cost of a security breach at $3.92 million.

Suffering a DDoS attack could be inevitable, especially if the business operates in a high-risk industry. Regardless of the solutions you implement, your company should incorporate a DDoS response procedure into your official business continuity plan. According to Ponemon Institute research, firms that can respond to a security incident quickly and contain the damage can save 26% or more on the total costs of the event cleanup.

‘One reason why DDoS attacks are so inexpensive is that more and more people that offer DDoS-for-hire services are leveraging the scale and bandwidth of public clouds. With remote work becoming the new standard and with emphasis on home internet connectivity at an all time high, proper security measures to mitigate these attacks have never been more important.

What is a DDoS attack?

Distributed denial of service (DDoS) attacks are a serious threat to modern network security. Their goal is to take down the target by either flooding traffic or triggering a crash. These attacks are often sourced from virtual machines in the cloud rather than from the attacker’s own machine, which is done to achieve anonymity and higher network bandwidth.

Typically, these types of attacks are run through botnets — networks of computer devices hijacked and infected by bots to carry out various scams and cyberattacks. A bot is a piece of malicious software that gets orders from another device or attacker. A computer becomes infected when a worm or virus installs the bot, or when the user visits a malicious website that exploits a vulnerability in the browser.

These days, because of the COVID-19 pandemic, organizations around the globe are embracing remote work at unprecedented rates. This has made online services of all kinds — from governments to banks and e-commerce to e-learning — more vulnerable to criminals, and DDoS attacks more alluring as a means of extortion. Such attacks don’t cost much and can produce excellent returns. When online connections are stopped or significantly slowed for even a few hours, employees’ work is disrupted, and customers can’t buy anything, which all leads to damaged revenues and public image of the organization.

How to protect company data

Without early threat detection and traffic profiling systems, it’s impossible to know a DDoS attack has occurred. In fact, you will only know about it when your website slows down or comes to a complete halt.

These attacks target data, applications, and infrastructure simultaneously to increase the chances of success. To fight them, an integrated security strategy protecting all infrastructure levels is necessary.

  • Develop a Denial of Service response plan. Make sure your data center is prepared, a checklist is in place, and your team is aware of their responsibilities.
  • Secure your network infrastructure. This includes advanced intrusion prevention and threat management systems — which combine firewalls, VPN, anti-spam, content filtering — and load balancing. Together, they enable constant and consistent network protection against DDoS attacks.
  • Make sure your systems are up to date. By regularly patching your infrastructure and installing new software versions, you can close more doors to attackers.
  • Leverage the cloud. Cloud-based apps can curb harmful or malicious traffic before it ever reaches its intended destination. Such services are operated by software engineers whose job is to monitor the web for the latest DDoS tactics and attack vectors.
  • Avoid public or unsecured Wi-Fi. If your remote team must log in to an account on a network you don’t trust, use a VPN to encrypt all communications. Even bank websites can be forged to be almost undetectable. So, if an attacker has administrative access to the network you’re using, a data breach may occur.