In an official statement posted on its website yesterday, Tether, a startup that offers 1-to-1 dollar-backed digital tokens [USDT], said a hacker stole funds worth $30,950,010. Tether claims the hack took place on Sunday, November 19, and the hacker removed funds from the main Tether Treasury wallet and moved it to the 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r address.
A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor. Named Terdot, this new malware is not a widespread threat, just yet. For now, the banking trojan has been seen targeting the customers of Canadian banks, distributed via the Sundown exploit kit and through spam email.
Cash Converters has reported the threat to the authorities in the UK and Australia, and has appointed security advisors to review its systems. Credit card data was not stored on the Webshop although hackers may have accessed user records including personal details, passwords, and purchase history.
The Key to Better Cybersecurity: Keep Employee Rules Simple
It’s a common adage that employees are the weak link in corporate cybersecurity. They are also the best defense, if they are given policies that are easy to follow and not too numerous and complex. Employee security training and best practices need to be user friendly and simple to be effective.
Cyber attackers don’t need to have advanced hacking skills to break into corporate networks; they just need to know how to trick people into opening attachments and clicking on links. Phishing attacks are the cause of 90% of all data breaches and security incidents. Clearly, employees are the main gateway into the organization for attackers. As a result, they are also the first line of defense.
One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose. For example, password policies are so complicated and inconvenient that most employees just ignore them. Employees are told to change passwords frequently, but researchers have found that when people are required to come up with new passwords every three months they tend to do things like merely capitalizing the first letter or adding a number on the end to save time. This makes passwords increasingly easier to crack. Being creative gets exhausting when you have to do it repeatedly, yet most companies force this on employees for the sake of security.
Another reason internal cybersecurity practices don’t work is that employees are so overwhelmed with guidance and information about things they should and shouldn’t do that they can’t digest it all. They are shuttled into mandatory half-day security training sessions, at which they often spend time staring at their phones or pretending to pay attention. It’s too much information to expect someone to absorb and remember, but for IT, it serves a purpose: enabling admins to report back to their department heads that they have trained employees on security best practices. It’s a compliance action that isn’t effective and wastes employee time.
Most internal security tests are too broad and unfocused. For example, IT departments tend to do phishing tests by sending out the same fake email to all employees.
A Culture of Openness
An often overlooked aspect of employee security practices is the relationship between the employee and the IT department and security team. In most organizations, employees view the security team as the traffic cops of the enterprise who are constantly telling them they can’t do something they want to do, like download an external software program. Employees complain about delayed IT responses to help desk tickets and there tends to be an adversarial relationship there. This situation needs to change if organizations want to improve the security practices of employees. The security and IT teams need to be seen as trusted and helpful advisors to employees, instead of as regulators.
The best way to change this dynamic is to increase the opportunities for interaction between employees and IT. This can be in the form of office hours, when employees can seek help and information for IT and security issues and not be treated as an annoyance. And IT can be more proactive about getting to know employees and finding out what they are experiencing by mingling more among employees, instead of just showing up when someone requests something.