April Update – Increase in Cyber Threats

I need to call your attention to a current security matter. In the past several weeks there has been a measurable increase in sophisticated email phishing attacks orchestrated through intense targeted social engineering.

There has been a sharp rise in email cyber threats across the nation. I have been made aware of this situation on a national level through my affiliation with the FBI and my participation in a national information technology peer group. Throughout the United States, the FBI has seen an increase in these cyber breaches and a significant increase in losses reported to the internet cybercrime division, IC3. Managed Service Providers across the nation have been battling this increased email threat level. I have seen evidence of the immediate cyber threat in our own client base here in Houston as well.

Executive level awareness is of paramount importance. For our clients whose network is managed by MergerTree, multiple layers of network security are in place and actively managed. The current attack is a direct cybersecurity threat with the ability to circumvent network security. The vulnerability to our clients is via the susceptibility of staff to social engineering. Network security can lock up the network and secure the data, but if a staff member falls victim to a phishing email and inadvertently gives their access to a criminal then they have effectively opened the door and invited the perpetrator into your network. This is what we are seeing over and over across the country.

There is an intangible element to cyber threats that can make them difficult to grasp. It is simpler to illustrate with an example of physical security. Let me explain .

  • Suppose you purchase and have installed strong locks on all the doors and windows of your home. Then you purchase and have installed a security system with cameras that record events such as doors opening. You have alert levels set for things like smoke, or a window breaking. You have established multiple layers of home security as we have established network security for your organization.
  • You talk to your family about stranger danger and tell them to lock the doors when they leave and lock up again when they come back inside. You have established a security procedure.
  • Now suppose someone with bad intentions comes to the door and your family opens the door. Security is breached.
  • Aware of a higher threat level you may counsel your family not to open the door to strangers, reestablishing a higher security level as we have by warning clients not to open suspicious emails or click on unknown links.

Cyber-attacks have evolved.

  • Suppose someone texts a member of your family and says they are in the drive way and need help carrying things inside. Suppose the text looks like it is coming from you, the words in the text sound like you, they know things only you should know; nicknames, speech patterns, common phrases. But it isn’t you. It is a criminal with knowledge gained from intelligent phishing using social engineering to manipulate access through your carefully constructed layers of security. That is where we stand with this current cybersecurity threat.

The  largest threat vector in our client base is through staff awareness. These criminals are not brute forcing their way in, they are cleverly disguising themselves and being ushered through security. Your strongest action for mitigating this threat is to immediately make it clear to staff that this is an executive priority and insure your team pays attention to the alerts and training coming to them from MergerTree.

CALL TO ACTION:

  1. Make it known this is an Executive priority.
  2. Immediate emphasis on procedure where any money transfer or irregular payment is confirmed by phone prior to transaction.
  3. Instruct employees to pay attention to emails from MergerTree and complete offered training.