The statistic that cybercriminals have been unleashing 18 million phishing emails laced with malware on a daily basis into cyberspace during the pandemic is mind boggling, and one that executives should pay attention to when prioritizing resources for user education. Math was never my strongest subject, but 18 million malicious emails targeted at all of us on a daily basis is a LOT.

A new study rolled out by Google, in collaboration with researchers at Stanford University, studied more than one billion malicious emails and targets that Google had identified and blocked over a period of five months, to get more intelligence about who was being targeted and how the campaigns were targeting users. The study found that users in the U.S. were targeted more than any others in the world, followed by the United Kingdom and Japan.

The study reports that the most effective phishing scams were fast and short-lived, lasting one to three days. They found that over 100 million malicious emails were launched in these short time frames. In addition, they discovered that if a user’s email address or personal information had been previously compromised, they were five times more likely to be targeted by a phishing scheme. The study also concluded that users aged 55 to 64 were 1.64 times more likely to be targeted by cybercriminals than 18-24 year olds.

The statistic is astounding, and the results of the analysis are very informative for businesses. The takeaway is that the number of phishing schemes continue to rise, user education continues to be essential in protecting company data against these schemes, and education is particularly important depending on a user’s age.

Although somewhat obvious, the World Economic Forum, in partnership with Marsh McLennan, SK Group and Zurich Insurance Group, recently issued its 16th edition of the Global Risks Report (the Report), which analyzes “the risks from societal fractures—manifested through persistent and emerging risks to human health, rising unemployment, widening digital divides, youth disillusionment, and geopolitical fragmentation” and determined that cyber-attacks are “key threats of the next decade.”

The Report outlines severe risks, including the COVID-19 pandemic, debt crises, climate change and a host of other predicted ailments, and cybersecurity is one of the top risks. The Report has mentioned cyber-attacks as a risk since 2012, and certainly the risk today is far more widespread than it has been in the past.

Cybersecurity failure is listed as a “top risk by likelihood” over the next decade. IT infrastructure breakdown is “among the highest impact risks of the next decade.” Weaving through the Evolving Risks Landscape Chart, cyber-attacks and data fraud or theft have jumped to the top of the list as a cluster.

In preparing for the global risks outlined in the Report, the World Economic Forum, although calling the risks outlined in the report “dire,” surmised that in contemplating the next crisis after COVID-19, “[T]he response to COVID-19 offers four governance opportunities to strengthen the overall resilience of countries, businesses and the international community: (1) formulating analytical frameworks that take a holistic and systems-based view of risk impacts; (2) investing in high-profile “risk champions” to encourage national leadership and international co-operation; (3) improving risk communications and combating misinformation; and (4) exploring new forms of public-private partnership on risk preparedness.”

Although the Report is brutally honest and transparent in its predictions, it perhaps is a snapshot in the future for business leaders to consider when planning strategies for business long term, including managing top risks by likelihood and impact to the organization. This would obviously include cybersecurity preparedness and resilience.

A Tampa, Florida area water facility was recently hacked using a popular remote-access software tool.  The unidentified hacker also used the software to connect to an on-site computer and then used that computer to access the facility’s control panel.  Once there, the hacker programmed a 100x-increase in the levels of sodium hydroxide (lye) to be added to the water supply.  While small amounts of lye are used to control the acidity of water, at these massively-increased levels, lye is corrosive. Drinking the water could be like drinking liquid drain cleaner.

There are many valuable and legitimate uses of remote-access software. This software allows a user to take full control of another computer as if they were sitting in front of it. The particular brand of remote-access software involved in this incident is popular with consumers and businesses and has more than 200 million users globally. It can be used by individuals to remotely access and troubleshoot their family members’ computer issues.  However, there are now questions about whether remote-access software is appropriate to monitor and change controls at critical infrastructure facilities.

There are alternative approaches. Some critical infrastructure facilities permit remote-access software, but only to monitor the facility systems.  Any changes must be completed on site from computers not connected to external systems or software.  Some in the critical infrastructure industry recommend requiring a secure VPN to remotely access the internal network.  After using the VPN, any additional access by the remote user would be done via a secured login with mandatory, multi-factor authentication.  Some recommend a second secure login inside the network that controls the critical infrastructure.

Industry members are quick to point out that critical infrastructure systems often have multiple safeguards to prevent extreme manipulation of the systems.  For example, many water treatment facilities have physical size restriction limits on the quantities of chemicals that can be introduced into the system over any given period. This type of safeguard could restrict the speed and/or amount of chemicals that would actually be pumped into a system, even if programmed to do so. But if a hacker can remotely access the system controls to program changes in quantity, could they possibly program other changes, such as changes to these safeguards?

In the case of the Florida water facility, any possible crisis was averted because an attentive employee saw the controls being changed, and notified the company, which notified the police. The increases in sodium hydroxide were quickly reversed.

The incident remains under investigation by the FBI and Secret Service, as well as local law enforcement officials.

See: https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

In what the New York Department of Financial Services (NYDFS) is touting as the first guidance by a U.S. regulator on cyber insurance, NYDFS announced on February 4, 2021, in Insurance Circular Letter No. 2 (2021), that it has issued a new Cyber Insurance Risk Framework (Framework) addressed to authorized property/casualty insurers that write cyber insurance. Nonetheless, NYDFS states “property/casualty insurers that do not write cyber insurance should still evaluate their exposure to ‘silent risk’ and take appropriate steps to reduce that exposure.”

The Framework consists of seven practices that “all authorized property/casualty insurers that write cyber insurance should employ,” while stating that “[E]ach insurer should take an approach that is proportionate to its risk.” The seven practices include:

  • Establish a Formal Cyber Insurance Risk Strategy
  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk
  • Evaluate Systemic Risk
  • Rigorously Measure Insured Risk
  • Educate Insureds and Insurance Producers
  • Obtain Cybersecurity Expertise
  • Require Notice to Law Enforcement

The background of the issuance of the Framework follows the growth of the cyber insurance market, the increase in cyber risks and payouts, and that “it is clear that cybersecurity is now critically important to almost every aspect of modern life—from consumer protection to national security.” NYDFS recognizes that “as cyber risk has increased, so too has risk in underwriting cyber insurance.” Statistics cited in the Framework include the fact that based upon a survey it developed, from early 2018 to late 2019, “the number of insurance claims arising from ransomware increased by 180%, and the average cost of a ransomware claim rose by 150%. Moreover, the number of ransomware attacks reported to DFS almost doubled in 2020 from the previous year…[T]he global cost of ransomware was approximately $20 billion in 2020.”

NYDFS cautions that insurers “are not yet able to accurately measure cyber risk” and before offering that line of product to certain organizations, insurers should assess the risk of the insured.

NYDFS calls the growing cyber risk “an urgent challenge for insurers.” The NYDFS Letter can be accessed here: https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02

I was scrolling through a social media site this week, and was struck by how many requests asked people to respond to questions regarding their biographical information. For example, what was the number one album when you were a senior in high school? What was your favorite beach or park when you were growing up? Where was your first job? What month is your birthday?

These types of questions are popular on social media because they are designed to generate interaction and engagement, potentially increasing followers. While some requests for such information may be done just to engage followers in interesting dialogue, these types of questions and responses also give data miners and others the opportunity to collect, analyze, and use our data for a variety of purposes, including advertising.

When you answer these types of questions on social media, you are disclosing key personal information, which, when compiled with other public information, creates a data profile that could be useful for scammers. Responding to requests for tidbits of personal information on social media may seem harmless, but keep in mind that every piece of your data that’s on the internet also increases the ability of hackers to steal your identity.

Oh, if I had just bought that Bitcoin when I first thought about it a decade ago…I might risk a flight to Fiji right now, which is on my bucket list, even in the midst of the pandemic. Alas, I didn’t, because I assessed the risk first and made my own decision. Yes, I lost out on tremendous profits, but hey, I love my job and Fiji will be there for me, and it was the right decision for me.

The urge to purchase cryptocurrency is strong right now as the value has skyrocketed. Nonetheless, before purchasing any type of cryptocurrency, there are a couple of things you may wish to consider.

My mantra these days is “Yes, you, me, and all of us collectively are being targeted by state sponsored hackers”–mostly from Russia, China and North Korea. Their methods are similar and sinister, and their goals the same—profit, power and domination.

North Korea is stealing cryptocurrency at an alarming rate, the goal of which is to fund its nuclear and ballistic missile programs in the face of tough international sanctions. It is estimated by the United Nations (U.N.) that North Korean state-sponsored hackers stole approximately $316.4M in virtual assets from digital currency exchanges between 2019 and November of 2020. U.N. monitors report that North Korea has generated approximately $2 billion to steal funds from banks and cryptocurrency exchanges using sophisticated cyberattacks.

One of the largest thefts that North Korea is believed to be behind was against cryptocurrency exchange KuCoin, which reported the theft of $281 million in bitcoin and other crypto tokens in September of 2020. (This has not been confirmed by KuCoin, but KuCoin has publicly stated that it is working with law enforcement to confirm who was behind the incident). It is reported that KuCoin was able to recover 80 percent of the stolen funds through cooperation with other exchanges that froze the funds that the hackers were attempting to launder.

Some things to consider before jumping into the cryptocurrency frenzy:

  • Cryptocurrency exchanges are not regulated like other financial institutions.
  • The United States Federal Reserve does not back any loss of funds in cryptocurrency exchanges.
  • If you pass away and have assets in cryptocurrency, or lose your password to your crypto wallet, those funds could be lost; treat the account like any other and protect it should you pass away, just as you would with any other account—planning is really important here.
  • Just because you have invested in digital assets, they are still considered assets by the IRS, so be aware of tax laws applicable to cryptocurrency.
  • Cryptocurrency exchanges have gone out of business with no recourse for investors, so researching them like any other investment, including their, is prudent.
  • Be aware that state-sponsored attackers, particularly North Korea, are fervently and successfully targeting cryptocurrency exchanges to fund their nuclear capabilities against adverse nations, including the United States, which affects our national security.

Following the recent report by U.N. monitors in relation to the current hype of Bitcoin, these are just a few considerations before investing in cryptocurrency.  Enter that market slowly and research risk while contemplating reward.

It is being reported that the Office of the Washington State Auditor (SAO) is investigating a security incident, allegedly caused by a third-party vendor, that may have compromised the personal information of up to 1.6 million residents of the state of Washington who filed unemployment claims in 2020.

The SAO is investigating fraudulent unemployment claims filed in Washington in 2020 that reportedly cost the state up to $600 million. In completing the audit, the state utilized a third-party vendor, Accellion, to transmit computer files for the investigation.

According to the SAO, “during the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service.” The SAO posted on its website that the unauthorized person “was able to exploit a software vulnerability in Accellion’s file transfer service and gain access to files that were being transferred using Accellion’s service,” which occurred in December 2020.

Data that may have been affected includes 1.6 million individuals’ claims made between January 1, 2020 and December 10, 2020, including claims made by state employees. The compromised information includes individuals’ names, Social Security numbers and/or drivers’ license or state ID numbers, bank information and place of employment. In addition, the personal information of some individuals whose information was held by the Department of Children, Youth and Families was also compromised.

What a terrible consequence for those who legitimately lost their job and filed for unemployment benefits. For those whose personal information was used to file a fraudulent unemployment claim, this news throws a massive amount of salt in the wound of being the victim of identity theft.

New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”

According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”

This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.

Two anonymous patients being treated by fertility clinics operated by US Fertility LLC are suing the company following notification that their information may have been compromised in a ransomware attack that affected US Fertility servers and workstations. 

On January 8, 2021, US Fertility notified patients of the incident that allegedly compromised patients’ names, Social Security numbers, financial information, health insurance information and medical information. According to the lawsuit, the incident took place between August 12 and September 14, 2020.

The patients allege that US Fertility did not use reasonable security procedures and practices to protect the information, and they seek to represent those who were affected by the incident. The plaintiffs seek damages, attorneys’ fees and costs and are requesting that all patients’ personal information and protected health information be destroyed unless US Fertility can demonstrate why it should retain the information.

Recently, the Federal Communications Commission (FCC) clarified that a call made using artificial or pre-recorded voice to a residential telephone line for the SOLE purpose of identifying individuals to participate in a clinical trial is exempt from the Telephone Consumer Protection Act (TCPA) “prior express written consent” requirement, provided that:

  • The call does not include any advertisement or telemarketing.
  • The caller does not make more than three of these clinical trial calls to one individual in any consecutive 30-day period.
  • The caller allows the individual to opt-out of receiving future calls about the clinical trial.

This clarification came in response to a petition from Acurian, Inc. (Acurian), a provider of clinical trial patient recruitment and retention solutions for life sciences. Acurian’s calls are made using a pre-recorded voice message offering introductory information about the clinical trial opportunity and about receiving a live follow-up call with a physician overseeing the trial. Acurian’s petition stated that it should be exempt from TCPA requirements because the calls it makes, even though they are pre-recorded:

  • Are not made for a commercial purpose.
  • Do not, and are not intended to, encourage the called party to engage in a commercial transaction.
  • Are analogous to the purely research calls that the FCC has already deemed exempt.

The FCC granted Acurian’s petition, saying that it did not need to research the question of whether the calls were commercial because the communications lacked advertising, and the calls did not offer a free service part of an overall marketing campaign (which would potentially need to meet the TCPA’s “prior express written consent” requirement).

This decision suggests that the FCC is open to the use of pre-recorded calls to residential lines without first obtaining written consent, provided they offer free opportunities and do not market or sell products or services.