The biggest Phishing Scams of the last decade

The biggest Phishing Scams of the last decade

October is Cybersecurity Awareness Month, so it’s almost mandatory to explore one of the biggest cyber threats known to date. Phishing scams are amongst the greatest cyber security threats that businesses and organizations face today. 75% of organizations around the world experienced some kind of Phishing scam in 2020. According to the FBI, there were nearly 11 times more phishing complaints in 2020 than in 2016. Phishing attacks are only rising with the increase in remote work. The attacks are becoming popular because they are easy for hackers to conduct and can potentially lead to large payouts. Phishing scams can lead to devastating costs for many parties involved. Below we will examine some of the biggest and most costly phishing scams that have happened in the last decade.

 

1. FACC

In January of 2016, FACC, an Austrian Aerospace and Defense company lost around €50 million from an email phishing scam. The scam was believed to be a Business Email compromise scheme, in which the attackers impersonate a finance official in the company and attempt to trick the email receiver into transferring a large amount of money into the attackers’ account. After the loss, FACC decided to vote off their CEO as a consequence, and also fire their Chief Financial Officer. It is unclear what their roles were exactly in this scam, but it is evident that the consequences of falling for such a phishing scam can be very severe and detrimental – not only financially.

 

2. Sony Pictures

In November of 2014, Sony Pictures was hacked by a group called “The Guardians of Peace”. Numerous consequences occurred; one of them being that 100 Terabytes of unreleased data and pictures were leaked. CEO of Cylance, a large computer security firm, stated that the hacking group was able to infiltrate Sony’s system through phishing scams they planted months earlier. Employees of Sony Pictures, including the CEO, received ID Verification emails that appeared to be from Apple. Once Sony was hacked, the attackers also demanded Sony to withdraw their movie “The Interview” which was a comedy about a planned assassination of Kim Jong-un, the North Korean leader at the time. Many cinemas refused to screen the film as the group also threatened terrorist attacks at the openings. It is difficult to calculate the full scope of damages of this phishing attack, but the estimated costs to the company were over $100 million.

 

3. Facebook and Google

Between 2013 and 2015, over $100 million was stolen from Facebook and Google through another clever phishing scam. The hackers created fake email accounts which looked like they were sent by employees of Quanta, an infrastructure supplier in Taiwan that both Facebook and Google worked with. The hackers then sent phishing emails with fake invoices to financial officers at Facebook and Google who were used to conducting such large transactions. Once the scam was eventually discovered, both companies took legal action and the hacker was identified as Evaldas Rimasauskas, a Lithuanian man who was then sentenced to 5 years in prison.

 

4. Colonial Pipeline

The most recent and largest phishing scam occurred earlier this year, in May 2021 to Colonial Pipeline in the U.S. Although Colonia Pipeline was hit with ransomware, the attackers only gained access through an employee’s email which was most likely accessed through a phishing attack, as the U.S. government believes. The exact source of the attack is still being investigated. It is impossible to determine how costly the cyber-attack really was, as effects have been felt in many countries that dealt with Colonial Pipeline and are still being uncovered. The company has already paid $4.4 million to the hackers. As the organization provided half of the oil supply to the U.S.’ east coast, the effects were felt publicly when gas prices soared after Colonial Pipeline was shut down for two weeks.

 

Phishing scams are not going anywhere, and the best way to stop and detect them is through your front-line employees. Regular phishing training should be conducted to help employees become aware of the severity of the attacks, as well as to know what to look for in everyday emails.

 

By: Joanna Ambros, MBA

 

ChannelNext East show gets back to In-Person events

ChannelNext East show gets back to In-Person events

By Paolo Del Nibletto

The ChannelNext East conference in Montreal was my first in-person event since January of 2020 and it hosted local channel partners and MSPs from the area as well as several more who live-streamed the show. The one-day event was held at the Riverside Event Venue in the city, and it provided the best backdrop for an in-person event under strict COVID-19 restrictions. Riverside is an indoor-outdoor facility that enabled the conference organizers TechnoPlanet to provide a safety-first, social distancing format for all attendees, speakers, and event staff.

TechnoPlanet president and show host Julian Lee said the IT industry needed to re-start in-person events after such a long layoff.

“The channel needs to get back to work and we see in-person conferences as an important part of a get back to work strategy. The main objective of the ChannelNext East event was to rethink the conference showcasing interesting areas that are more suited for the current situation,” he said.

This meant that a hotel, where most conferences usually take place, was out of the question. Hotels have plenty of moving staff going from event to event and the chances of cross-contamination would be high. For Lee and his team, they needed to adapt to a new situation that could best meet the new model, while having a hybrid approach so that it can interest a bigger audience. Another factor for Lee was his desire to support local businesses hard hit by the pandemic and subsequent lockdowns. This is why TechnoPlanet chose the Riverside indoor-outdoor event venue in the Saint Henri district of Montreal.

ChannelNext East featured a talk show format highlighted by opening keynote Q&A with Chris Fabes, the Canadian Channel Chief of Lenovo. Fabes talked about how Lenovo Canada would be helping channel partners and MSPs pivot from the pandemic, what investments they were making in the channel community and how they were scaling towards an as-a-service model.

This was followed up with a panel discussion on how to best approach the Digital First Economy which featured leadership consultant Glynis Devine and myself. I spoke about how MSPs can get a leg up on the digital economy with fixed cost, as-a-service solutions in security, backup, and cloud.

The show also featured an expo and a Lion’s Den competition with executives from Datto, Cyber Power, Net2Phone, SherWeb and ViewSonic squaring off in three-minute segments. Show attendees in-person and online could vote for who had the best pitch.

Finally, Randall Wark, the co-created of the Channel Partner Alliance took the stage to outline the benefits of the Mastermind programs along with bringing actionable strategies and insight on digital best practices to MSPs and channel partners.

Lee added the ChannelNext East hybrid event says there is help if the channel wants it.

“The struggle is real in the channel, but there is help out there either virtual or in-person.”

The ChannelNext East event may have been the first in-person show so far this year, but it will not be the last. Lee and his team are working on the next event that will be staged on Oct. 20th in Toronto.

Getting the Most from your Managed Service Provider

Getting the Most from your Managed Service Provider

The decision to outsource some or most IT operations to an external MSP (Managed Service Provider) is one that could directly benefit your entire company. MSPs can bring value by allowing your company to focus on what it does best without sacrificing time on managing their Information Technology infrastructure. The first step is to choose the right MSP for your company. Once your company has taken the plunge and committed to the right Managed Service Provider,  here is how to make sure you get the most value for your money.

Be Honest

Being completely transparent in terms of what your business goals and priorities are will be mutually beneficial to both your company and your Managed Service Provider. An open discussion about aligning your business goals and needs with the strengths and services of the MSP will only enhance the results you get. 

Build a Relationship

As you will most likely be working with your Managed Service Provider for a long period of time, ranging from months to years, it is important to establish a professional relationship with your MSP. Your Managed Service provider should essentially be a business partner that will not only enhance your IT software and services, but introduce you to external connections and broaden your company’s network.

Involve your Managed Service Provider in Planning Stages

If you have a specific vision for your company’s IT services, it is best to inform your Managed Service Provider early on so you can be on the same page. For example, do you want to focus on cloud-services only? Do you plan on improving your entire outdated IT infrastructure within one year or less? Or are you more focused on creating a fool-proof cybersecurity plan for your business? Determine your specific goals and priorities and include your MSP in the initial planning stages. Not only will you benefit from your provider’s expert opinion in IT, but you may also cut costs down the line by discussing your projects ahead of time and budgeting accordingly.

Utilize All Available Services

Your Managed Service Provider can provide a multitude of services, such as 24/7 Tech Support, Cybersecurity Services, Employee training programs, or Disaster Management. Find out from your representative what other services they think your company may benefit from. Even if you only commit to one plan when signing a contract early on with your MSP, down the line you may require more services and help managing as your business grows and scales. You may be surprised at the variety of ways an MSP can help your company that you have not thought of before.

Managed Service Providers can tremendously enhance your company’s operations. To get the most of your experience, it is important to establish a solid relationship with your MSP, have open communication about your business goals and plans and trust your MSP to provide you with the tools to succeed. Establishing a partnership with your Managed Service Provider will bring your company long-term enterprise success.

By: Joanna Ambros, MBA

How to choose the right Security Auditor

How to choose the right Security Auditor

Now that your company has decided to start performing regular IT Security Audits to ensure compliance and enhance cybersecurity, the next step is to find the right Security Auditor. Although it can seem like a stressful and daunting task, it is important to find an Auditor who is a suitable fit for your company. Focusing solely on low price may result in a poorly matched Security Auditor for your team. The right Security Auditor will be able to understand the specificities of your product and the challenges your company’s IT systems may be up against. 

What are some factors to consider when choosing a Security Auditor?

1) Qualifications

Auditors may be qualified to perform different levels of tests. It is first important to determine what compliance certifications your nature of business needs; it is common to see cloud-based service businesses needing SOC 1, SOC 2 and ISO 27001 as well as CCPA as compliance necessities. Do your research beforehand to see which Audit companies are qualified to run the tests you require.

2) Reputation

The key to vetting an Auditor’s reputation is to do thorough customer reference checks. You will want to ask those who have worked with the auditor a few of the following questions:

  • How flexible has this auditor been while working with you?
  • How would you rate them compared to other Security Auditors you have worked with?
  • Did their services and delivery measure up to what they promised?

It is usually well worth the price to partner with a reputable, more expensive Audit company and known brand than an unknown auditor with no references at a lower price.

3) Time Commitment

Your engagement with a Security Auditor could range anywhere from three months to several years as most security accreditation standards require annual renewals. It is relatively uncommon for companies to switch auditors once a match is made. The bulk of the work for an auditor is in the first year, and it reduces over time. It is a good opportunity to also consider long-term pricing arrangements which can either start low with a good deal and increase or lower over time.

4) Tools

What kind of tools and programs will the Security Auditor be using? Are these programs up to-date and in full support of cloud-based services?  If your company uses modern infrastructure and software, your auditor needs to fully understand those. Likewise, it is important that your own IT department understands these tools, and that they are scalable and easy to use.

Choosing the right IT Security Auditor can lead to a long-term beneficial partnership and relationship for your company. While evaluating choices, it is crucial to consider not only the price, but the timeline of the relationship, the Auditor’s reputation and reliability, their qualifications and the programs that they will use to maximize the value of the audits specific to your company’s needs.

 

By: Joanna Ambros, MBA

The Importance of IT Security Audits

The Importance of IT Security Audits

In today’s modern day and age, it is crucial for companies to take their Information Technology systems seriously to avoid the possibility of cyber-attacks and data breaches. A great way for companies to ensure their Security remains up to date and compliant is to perform regular IT Security Audits.

What is an IT Security Audit?

To begin defining an IT Security Audit, we can examine the formal definition of an Audit as provided by the Institute of Internal Auditors: “independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

An Information Technology Security audit is a  comprehensive review of your company’s entire IT infrastructure. This includes a full review of your IT systems, management, applications, and data uses amongst other processes. The purpose of this audit is to evaluate the overall safety of your network. A good comprehensive audit would suggest improvements and identify any weaknesses in your system, to ensure greatest operating efficiency and cybersecurity.

What are the Benefits of IT Security Audits?

Companies should perform regular IT Security Audits to determine if their infrastructure properly is able to secure the company’s data and assets. There are many benefits to performing these audits regularly:

  • Reducing Expenses – IT Audits can help you uncover which services you no longer need as well as outdated software and help your company save money in the long run.
  • Ensuring Compliance – Regular IT Audits will also ensure that your company’s Information Technology platform and systems are up to date with your country’s standards. This will help avoid any legal disputes and fines down the line.
  • Verify Security Effectiveness – Certified IT auditors will use various tests to verify how effective your current cybersecurity processes are.
  • Improve Communication within the Company – Regular IT audits can enhance the communication between different departments with the Information Technology department.

Types of IT Security Audits

There are four main types of security tests in an IT audit. These include: Vulnerability Tests, Penetration Tests, Risk Assessments as well as Compliance Audits

Vulnerability tests are performed to identify any loopholes or risks in your IT system’s design, to reduce risk. Penetration tests are used to stimulate disruptive conditions and break into your system, such as sending email links with malware. These are great for improving employee security training and testing antivirus software. Next, Risk Assessments are used to identify and eliminate risks associated with using your company’s IT systems. When risks are identified, the next step for companies is to determine what investments should be made to eliminate those risks. Lastly, Compliance Audits ensure that your company’s IT systems adhere to the legal standards in your country or industry.

Regular and successful IT Audits will ensure that your company’s IT systems are well protected against modern threats, and compliant to regulations. The best way to protect your company’s security in today’s technological society is through expert auditors.

 

By: Joanna Ambros, MBA

 

Partnering with a Managed Service Provider: What to Consider?

Partnering with a Managed Service Provider: What to Consider?

For many small or medium sized businesses, as well as emerging start-ups that do not have the capacity to manage their own Information Technology Infrastructure, a Managed Service Provider is a great solution. An MSP (Managed Service Provider) is a third-party company that remotely manages a company’s IT infrastructures and performs day-to-day management services. With so many MSPs globally available today, it is important for a business to first consider some critical questions before choosing the right MSP to partner with.

1. At what point should your services be managed by an MSP rather than in-house?

The first step is to determine what services are actually worth managing by a third-party. If a company has less than ten computer users, it may actually be more cost-effective to do all services in-house. However, if a company is scaling and has over two hundred end users and is still in the process of growing, most services should be managed by an MSP to enhance productivity and cost-effectiveness for the business.

2. What competitive advantage does the MSP offer?

What differentiates the Managed Service Provider that you are considering? Is it their extremely well reviewed customer service and 24-hour support, or the low cost? Or is the MSP more costly but more committed to the latest technological upgrades and constant improvement? Companies should determine what is most important to them at their stage of growth and choose an MSP according to that specific competitive advantage.

3. Does the MSP offer after-hours or onsite support in the case of an emergency?

Depending on where your company is located globally, natural disasters could be a serious risk for your IT infrastructure. Your company could also be a victim of a data breach. No matter what the worst-case scenario is for your business, it is a huge bonus for the Managed Service Provider to offer immediate and onsite support at all times in case of any emergencies. If your company is in an area more at risk of a natural disaster, it is important to determine which providers include on-site support as some only offer remote guidance.

4. Does the MSP offer an all-inclusive support plan?

An All-Inclusive support plan works out to the benefit of both parties; the MSP and the company using their services. A flat-fee arrangement motivates the MSP to perform quickly, whereas an hourly billing service may not be ideal for a starting company strapped for cash.
Make sure you are fully aware of what is included in the all-inclusive service plan. Some examples of services to look for include:

Choosing a Managed Service Provider is an exciting step to take, but one not to take lightly. The right provider can tremendously help your business improve technological efficiency. It is important for any company no matter how small or big to do proper research and consider the above essentials to make an informed decision.

By: Joanna Ambros, MBA