March 10, 2021

Good morning, everyone!

Patch all Microsoft Exchange Servers Now Last week, Microsoft released out-of-band patches for Exchange Server 2013, 2016 and 2019. These patches fix critical vulnerabilities that have already been exploited. (@SpyseHQ tweeted a graphic showing that nearly 200,000 servers have already been compromised, overwhelmingly located in the US.) Microsoft also released information on mitigations for those who are unable to intall the patches immediately. Don’t delay! Get this information to your IT team (and hope they’ve already taken care of it).

Cyber Security Best Practices

Yesterday CISA’s Eric Goldstein spoke at a Center for Strategic and International Studies event focused on the recent USTelecom survey report “2021 Cybersecurity Survey: Critical Infrastructure Small and Medium-sized Businesses” with some pretty shocking statistics:

• 75% of critical infrastructure SMBs experienced a breach at least once in company history
• 45% experienced a breach in the past year
• on average, it took a company 7.5 months to fully recover from a breach
• 59% reported the breach stopped productivity
• 46% lost customers as a result
• Companies spent on average $170,000 to resolve a cyber breach

What exactly is a critical infrastructure small or medium-sized business? CISA has identified 16 critical infrastructure sectors including utilities, for one. (Did you know, for example, rural electric cooperatives operate in 47 states and provide electrical service to over 40 million people.) Critical infrastructure is more than just utilities, though, the list also includes telecommunications, finance, healthcare, manufacturing and more.

In his talk, Goldstein stated:

“Adversaries of all types are targeting American businesses now. It is not just the case if you are a company that has some highly sensitive IP or provides critical infrastructure. […] We are now seeing adversaries, including criminal groups, that will launch indiscriminate attacks, really just targeting anybody in this country with a vulnerability in order to launch ransomware attacks, extort money for information, those kind of activities. So really every company in America is at risk even if the services provided or the data stored by the company would not seem to be of interest to adversaries”

So what to do? Goldstein says

“We are past the days when large companies or SMBs cannot be in the business of cybersecurity. Every business leader needs to see cybersecurity risk as a core function of their business management.”

That means the first thing is to change your perspective. No more ostrich mode! It doesn’t matter how small your business, or even how small your household is (!), you are a target for cyber criminals. I recently read an interesting article (The Behavioral Economics of Why Executives Underinvest in Cybersecurity) that discusses the problems with using the wrong mental models (i.e., thinking about something the wrong way) to make important decisions:

[I]nsights from behavioral economics and psychology show that human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. […] The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find the cracks in the wall. That’s why cybersecurity efforts have to focus on risk management, not risk mitigation.”

This reminds me of one of my favorite quotes “Cyber security is not a problem to be solved, rather a risk to be managed.” Cyber security is never going to be “fixed.” It’s a process, where your goal is not perfection, but continuous improvement.

Okay, so how do you protect yourself? For starters, refer back to my previous newsletter “Top Three Ways to Protect Yourself Online – for free!” and my “Back to Basics” series (part one, part two and part three. If you want more personalized advice, contact me!

When “Smart” Devices Let You Down

Last week I read about this:

If you own a 2013 SmartThings hub (that’s the original) or a SmartThings Link for the Nvidia Shield TV, your hardware will stop working on June 30 of this year.

How irritating! It’s not the first time this has happened, though, and it won’t be the last. Sometimes they don’t kill the device but they restrict your use of it. This got me thinking about how dependent so many people are becoming on “smart” devices, especially Internet of Things (IoT) devices. Do you understand the risks? Do you have mitigation plans? Do you have backup plans for service failures? Let’s take a look at a few of these things – next week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Goes Virtual

Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.

Contact me to schedule your employee training sessions. They're fun! ☺