You’re not imagining things if it feels like you saw more headlines in the past 12 months about massive cyber-attacks and big companies being breached than you did in the past. 2017 was a year that saw ransomware become a household term thanks to the WannaCry and NotPetya attacks. It was also a year that brought historic data breaches like the one at Equifax that left consumers and businesses alike feeling vulnerable.
In a way, 2017 has been the cybersecurity wake-up call that your SMB customers needed. According to Ponemon Institute’s 2017 State of Cybersecurity in Small and Medium-Sized Businesses, 61 percent of SMBs have experienced a cyber-attack in the past 12 months. And these attacks end up being expensive. The Ponemon report found that the average cost due to damage or theft of IT assets was $1,027,053, and the average cost due to disruption of operations was $1,207,965.
As we close out 2017 and prepare for 2018, let’s look back at the cyber-attacks and data breaches of 2017 that held the most significant lessons for MSPs and their customers.
Gmail Phishing Attack
What Happened: In January, researchers discovered a Gmail phishing scam that was frighteningly convincing—and effective. The phishing emails tricked recipients into clicking on what looked like a Google Doc shared by someone they know and then entering their Gmail credentials on a fake login page.
What It Taught MSPs: The importance of user education and two-factor authentication. Teaching end-users how to spot a phishing attack will help them see the warning signs on an email like this—before they’ve clicked on anything suspicious. Two-factor authentication would also help foil a scam like this because even if the attackers were able to get a user’s credentials, they wouldn’t be able to access the account without a second trusted device.
What Happened: In February, a bug was discovered that caused Cloudflare’s edge servers to leak passwords and other potentially sensitive information. The problem compromised the security of thousands of websites, including Uber, Fitbit, and OKCupid, for more than six months before it was discovered.
What It Taught MSPs: Cloudbleed reminded companies of all sizes of the importance of monitoring the security of their websites on an ongoing basis because potential vulnerabilities can be uncovered at any time.
Wikileaks Vault 7 & the Shadow Brokers
What Happened: In March, Wikileaks published a series of documents and hacking tools, collectively dubbed “Vault 7,” which it said were allegedly stolen from the CIA. At the time, Wikileaks held back some of the code they said would reveal unpatched vulnerabilities and bugs. But, in April a group known as the Shadow Brokers published a number of potent zero-day exploits and hacking tools they said were stolen from the NSA, including an exploit known as EternalBlue, which targeted a Windows vulnerability that Microsoft had released a patch for in March.
What It Taught MSPs: Cyber threats are constantly evolving as attackers get access to and create more powerful and sophisticated exploits. MSPs and their customers need to develop a more sophisticated approach to security in order to defend against these types of threats.
The most telling #cyberattacks and #databreaches of 2017 – and what #MSPs can learn from them
What Happened: On May 12, the WannaCry ransomware attack quickly spread across the globe, affecting more than 100 countries. The attack hit Russia and Ukraine particularly hard and caused chaos at the UK’s National Health Service. The malware took advantage of the EternalBlue vulnerability revealed by the Shadow Brokers the month before (and which Microsoft had released a patch for in March).
What It Taught MSPs: Keeping customers up-to-date with security patches is critically important. All the organizations that fell victim to WannaCry were behind on updating their security patches or were running an outdated legacy system, and many MSPs spent the hours and days after the attack rushing to make sure all their customers had the appropriate security patches in place.
What Happened: In late June, another global malware attack known as NotPetya spread rapidly and at first appeared to be a ransomware attack similar to WannaCry. Its primary target seemed to be Ukraine, and it also seemed to be taking advantage of the EternalBlue vulnerability. But researchers soon discovered flaws in the code that made it look like the malware was designed to cause destruction, not make money. Infected computers were unrecoverable due to faulty encryption by the malware.
What It Taught MSPs: You always need to be preparing for the next attack. Customers can’t assume they’re safe if they don’t get affected by one big attack, and they shouldn’t rely on being able to simply pay the ransom and get their data back. As an MSP, you need to keep up a steady stream of security patches and education about security best practices.
200 Million Voter Records Exposed
What Happened: In June, a database of personal information on nearly 200 million U.S. voters was leaked inadvertently by Deep Root Analytics, a contractor working for the Republican National Committee. The database was stored on an Amazon S3 server, and an improperly configured security setting left the database without password protection, making it publicly available for download.
What It Taught MSPs: Information is not automatically secure because it’s in the public cloud. Organizations and their service providers are responsible for securing access to the information and applications they choose to store there. It also highlighted the importance of understanding the security practices of the businesses you trust with sensitive or business-critical information.
Verizon Data Breach
What Happened: Verizon learned a similar lesson in July when personal details about 14 million customers were exposed by a third-party vendor that left the data on an unprotected Amazon S3 server.
What It Taught MSPs: When moving to the public cloud, it’s important to work with organizations that understand security and how to manage it in this setting. MSPs that develop expertise in securing data in the public cloud will be in demand going forward as more organizations figure this out.
Equifax Data Breach
What Happened: In September, the credit rating agency Equifax revealed that a data breach earlier in the year had exposed sensitive data about as many as 143 million people. The attack exploited a web application vulnerability to access data over a period of several months.
What It Taught MSPs: Patch, patch, patch. A patch had been released several months before that breach for the vulnerability that the attack exploited, but the patch had not been implemented by Equifax. The incident also reinforced the importance of a multi-layered approach to security. After the attack, Gartner analysts pointed out that having layered controls in place could have helped Equifax limit damage from this type of attack.
What Happened: In September, Deloitte, one of the “big four” accounting firms, fell victim to a sophisticated attack that compromised confidential emails and plans of some of its most well-known customers — and went unnoticed for months.
What It Taught MSPs: The attackers used an administrator account that gave them broad access and only required a single password. Two-step authentication could have helped stop the attack, so MSPs should consider strengthening access controls for their customers.
What Happened: In October, following Yahoo’s acquisition by Verizon, the company revealed that 2013 hack Yahoo originally said affected 1 billion accounts actually impacted all 3 billion user accounts.
What It Taught MSPs: A single security breach can have a long-lasting impact on the affected organization and its reputation. Even a security breach that happened years ago can come back to haunt you and your customers.
What Happened: In November, Uber confirmed that a breach in October of 2016 compromised personal information about 57 million Uber riders, as well as information about more than 7 million drivers. Instead of disclosing the breach, executives concealed it for more than a year, paying the hackers $100,000 to delete the data and keep quiet.
What It Taught MSPs: Honesty really is the best policy. Uber saw significant backlash for keeping the breach secret. Following the revelation, three U.S. senators even introduced the Data Security and Breach Notification Act, which would require companies to report breaches within 30 days of discovery. Plus, individuals that help conceal a breach could face up to five years in prison. If the bill becomes law, the stiff penalties should certainly help motivate executives to be more transparent about data breaches going forward.
Bitcoin Exchanges Robbed
What Happened: In early December, hackers stole millions from two different bitcoin exchanges. NiceHash lost about $64 million worth of bitcoin, and thieves stole nearly a fifth of Youbit’s clients’ holdings in a variety of digital currencies. Shortly after the attack, Youbit announced it was filing for bankruptcy.
What It Taught MSPs: Cyber-attacks can be expensive, both in terms of lost or stolen data and the cost of disruption to operations. Many victims will struggle to recover, and some won’t recover at all. So the stakes are high when you’re an IT service provider trying to keep customers’ data secure.