Boyce, VA 22620

Do not be misled by the uninformed.

Do not be misled by the uninformed.

Sadly people spread wrong information all over the place these days. Many times it is unintentional, often simply an opinion based with no facts or research as a foundation. While intentions may be well meaning, bad information regarding Cybersecurity can lead to devastating consequences.

With over 25 years in the Information Technology industry and being strictly focused on Cybersecurity for the past several years, I am on a mission to ensure that businesses and individuals are aware of the risks of being so hyper-connected and measures that need to be taken to avoid becoming a victim of cyber crime, how to know if you are a victim and what needs to be done to minimize the damage.

These are things that must be considered so that even if you are a victim ( which is highly likely ) of a cybercrime, breach or compromise you are able to minimize the damage that can be done.

Cybercrime is on the rise and every industry is being affected by it. Scams are also being portrayed using every possible way imaginable. This is backed up by the statistics from every reputable source. In fact only a short time ago an FBI agent in the cybersecurity task force was at an international convention and started his talk with “There are two kinds of businesses in the world. Those that have been compromised and those who will be.” Only a few months later the same agent at another conference updated his talk to begin with “There are two kinds of businesses in the world. Those who know they have been breached and the ones who are unaware of it.”

Read that again.

It is startling to say the least. Being hyper-vigilant – AWARE, and informed is paramount in the world these days. The first thing I generally do is investigate the information that is being presented to me. I am especially wary of claims that certain cybersecurity measures are not necessary or are only scams. It is particularly alarming when those spreading such misinformation are also the same ones who are entrusted with another persons cybersecurity implementation.

The following is an example of the kind of misinformation that is being propagated. Unfortunately bad information like this is being given by members of the IT industry. I am sure I will receive some sort of backlash from this but I know the facts dispel this kind of uninformed opinion.

Have you or someone you know been offered a “Dark Web Scan”? This type of “Pwned” search can be done for free online (at your own risk), but that’s not at all necessary. Why? The chances are very high that your old passwords have in fact been published via the over 40,000 major criminal hacks that have taken place over the past ten years. What is necessary is simply not using your old passwords. Simply change all of your online passwords to new, original and complex entries that could not have been sold via hacked online databases. Best of all, it’s FREE!

While I truly hope this individual has only the intentions of helping others, the statement could lead people to develop a false sense of security. Hopefully you have not been advised as such, If you have you may want to reconsider your sources regarding Cybersecurity.

The other statement that is frightening is the claim of ONLY 40 thousand major criminal hacks over the last 10 years. I am sure he is referencing ONLY the USA. Regardless of the number of breaches the number of records tells the real tale. According to Forbes ‘Data breaches exposed 4.1 billion records in the first six months of 2019’. So being that there only 330 million or so US citizens it would mean that EVERY person in the USA had data compromised in a breach more than 12 times in the first six months of 2019. If we want to be more globally fair, the world population was 7.7 billion in 2019. at the rate Forbes announced it would take less than a full year to be more than 1 compromise per person. That includes every living human being on the planet including the ones who do not have any digital fingerprint at all such as children and those living in remote and utterly disconnected areas.

The Truth is much different. There are over 1 million cyber attacks EVERY DAY. If you multiply that by 10 years you will come up with 3,650,000,000. That is over 3.5 BILLION attacks in 10 years. I believe that the success rate of attacks is much higher than .0001% (1/1000th of 1 percent). As far as I researched in a quick 2 minute check I tallied up over the mentioned 40K for less than 7 years. However that number is also insignificant because the attack rate and the accompanying success rate continue to grow at an alarming rate.

As a side note, I am not sure what he means by Major Criminal Hacks but regardless of the size or amount of data that is compromised, if that company happens to be yours, it is major to you. In fact so major that over 60% of businesses who suffer a breach go out of business within a year. I did do a scan and found that there were several compromised credentials from that domain in just the past 30 days. I wonder if he is aware of that? Check out my podcast Into The Breach where I report on the most significant breaches that take place in the USA each week.

Why the above advice is, simply inaccurate and extremely misleading for both individuals and businesses.

  1. There may be sites or programs they have forgotten about that have been compromised. If you are a business you will need to ensure ALL employees change ALL passwords to ALL websites they have joined or have accounts with under your company name or even personal accounts they may have where they have used your business email address. Oh yeah, are you sure you know ALL of the sites former employees signed up on and that those accounts have been closed on those services as well as being disabled inside your systems?
  2. If they do change ALL their passwords today, They may be safe today. but what about tomorrow. They will need to change all their passwords again and once again be certain they did not miss one. As well, the password will need to be changed daily because once it is used it is old and could have been compromised by a breach that has not yet been discovered.
  3. Even changing All Passwords to original and complex passwords does not ensure an account that gets compromised cannot cause damage. Quite often credit card numbers and cvv’s that coincide with them are compromised. Knowing when a breach with your information has happened allows you to take a more proactive approach rather than being blindsided.
  4. How are they remembering all those passwords? Are they writing them down or having insecure browsers save them, browsers that are likely not secure because they have not been updated recently if at all.
  5. As a business, being proactive is tantamount. In order to minimize the damage of a breach, you should monitor your domain name on the dark web. It will often turn up before you are notified by other companies or your system gets locked down.

Let’s expand on that last one for a minute. Assume you have taken the advice of the individual I quoted above. Tomorrow a breach happens and data is sold on the Dark Web. The data that is for sale contains your name, address, email, credit card number with cvv. The breach is not discovered by the company for the average amount of time which is around six months. During that six month period your information has been sold to multiple people. Four days after you took care of the password change your credit card company calls you to inquire about a $5000 charge made on your card. You deny that you made the charge because you in fact did not. You try to log on to your account but the password has been changed as well as the password recovery security questions. You then call your bank back to let them know about this. They get access to your account back and you are able to access the account. You notice there are several more charges for relatively small amounts between $30 and $500. You contact the bank again to inform them about these other fraudulent charges. They tell you that you need to contact Visa directly about these charges and they cannot do anything to refund your money. They let you know they will cancel that card and will send a new card to you within the next 7 to 14 days.

Here is an actual incident of a Cybersecurity professional I know who had his credit card hacked. It was used to purchase over $35,000.00 worth of machinery while he was on a flight back from South Africa. He knows it happened while he was in the air because the only time he used that card was 5 minutes before he boarded the plane.

I know for a fact it can and does happen like that. I was a victim in 2014. I used my card to make a purchase at a Dollar Store. Something made me check my account when I got home which was less than 5 minutes later. In that short period of time there were 4 additional charges on my card, Card present purchases that were over 200 miles away. I was fortunate that I checked and discovered the fraudulent charges and also because I belong to a credit union. That was a Sunday afternoon. I called the hotline and they informed me that I would need to come into the branch the next day as early as possible. The manager greeted me and related how lucky I was not only that I had used my ATM card as a credit card but also that a credit union issued it. Because of these facts I had a new card and all funds were placed back into my account before I left the branch 20 minutes later. The manager told me that her nephew was not so lucky and the $1500 charge was not credited back to his account from a situation quite similar to my own.

I can go on with more real life examples but that would only be redundant yet very accurate and real. I feel my point has been made.

So again, I caution you to take recommendations such as the above with a grain of salt. If it sounds too easy it probably is and is also probably bad information regardless of how well intentioned. I personally feel that following the advice above is like never changing the oil in your car and believing it will run forever. The surprise comes when the engine seizes because of lack of prescribed maintenance recommendations. I have attempted to drive the point home about the importance of the need to take cybersecurity seriously.

If you do not believe it is as serious as I am reporting I invite you do do a little research on your own. Just as I have done on several occasions, search Google. Here is a good place to start. Use this search term – total number of data breaches in 2019. But if you must go ahead and heed the advice like that stated above. That person obviously knows more than the FBI Cybersecurity task force and every other Cybersecurity on the planet. We are just lucky to have such a gifted person living in the Winchester Virginia area and providing IT services to our community.

Cybersecurity is not ever a one and done solution. You may be lucky for a while but it will catch up to you over time. You can view our clean bill of health by contacting me. I am not afraid to be transparent.