If you're not teaching all of your employees proper security hygiene, you are leaving the door open to risk. Close that door by providing accessible training.

Many studies show that companies with gender and racial diversity within their board, leadership team, and workforce are more likely to have increased profitability and greater competitive advantage. Equitable access for all employees is an important part of ensuring diversity with the organization, but companies have a long way to go when it comes to accessibility, especially for people with disabilities.

According to the World Economic Forum, businesses that include disabled people see as much of an improvement in performance as those with higher degrees of female and racial minority representation. "With 28% higher revenue, double net income, 30% higher profit margins, and strong next generation talent acquisition and retention, a disability-inclusive business strategy promises a significant return on investment," its Valuable 500 project asserts.

Within cybersecurity, security awareness training programs are an incredibly important part of preventing breaches, given most attacks use some form of social engineering. However, many such programs are not fully accessible for all employees. This increases the risk of security threats, as a swath of employees are not educated or trained to recognize security threats, properly respond, and escalate.

For many, their online experience is already challenged by language barriers. An estimated 98% of Web pages are published in just 12 languages, and more than half of them are English, yet less than half of the world's population speaks one of those 12 languages as their first language.

This is compounded by the difficulties put in the way of people with disabilities. The average website home page contains more than 50 accessibility errors. Combine that with the poor digital usage rates of individuals who need accessible content most, and you can see how a significant number of users aren't getting the information they need to keep them, as well as their employers, safe from cybersecurity threats.

Human error exposes organizations to tremendous risk, as cyber breaches are often caused by these mistakes. When companies don't prioritize accessibility in training employees, they exclude a portion of their workforce who then cannot help combat cyber threats. If your security awareness training program isn't inclusive of diverse populations and does not meet minimum accessibility standards, you are more vulnerable to attack, and those you have not trained will be your weakest spots.

**What Is Accessible Security Awareness Training?**

Accessible security awareness training maximizes inclusivity — or, to reverse the thinking slightly, minimizes the number of people excluded from the program. This means the training content can be viewed by individuals who prefer learning in a language not considered the main language in your city or country, and individuals living with a disability and/or who use assistive technology, such as a screen reader, to consume digital content.

Basically, the training must be designed with all users in mind. From text courses to interactive learning and overall structure, there are a lot of variables to consider. Built-in customization gives those who require an alternate learning experience the opportunity to tailor training to their specific needs. This can be as simple as a tick box that serves as an opt-in for the accessible version of your security awareness training.

**7 Ways to Make Security Awareness Training More Accessible**

Truly accessible security awareness training content is built from the ground up, with various measures considered early in the creative process. Here are seven tips to help make your security awareness training more accessible to all users:

1.  Write clearly and concisely for better understanding.
2.  Make training available in multiple languages.
3.  Clean up your lesson structure to make content streamlined.
4.  Carefully consider the colors and contrasts you use.
5.  Use descriptive links and alt text.
6.  If video is essential, use closed captions.
7.  Use pop-out windows to maintain interactivity.

By considering these tips when designing your security awareness training program, you are including all people within your organization, which supports a culture of vigilant employees.

We implement security awareness training to equip our employees with the best tools possible, so they can help prevent cyberattacks and breaches. We need to make sure everyone is as safe online as they possibly can be. If accessibility is not present, we are failing our employees and creating risk within our organization.

Remember to check in on your organization's security awareness training program and determine what improvements can be made. Listen to your employees and recognize their needs so that you create the best possible first line of defense against security threats.

Accessible Cybersecurity Awareness Training Reduces Your Risk of Cyberattack

Cybersecurity insurance costs are rising, and insurers are likely to demand more direct access to organizational metrics and measures to make more accurate risk assessments.

The rising cost of ransomware attacks is helping push significant premium increases in cyber-insurance policies in the UK and US, new data shows.

With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cybersecurity insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber-insurance industry.

However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.

Nik Whitfield, founder and chairman of Panaseer, notes that 82% of insurers surveyed said they expect the rise in premiums to continue. "The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive," he explains.

Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analyzing cyber-risk. "Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it," Whitfield says. "Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance."

The survey found that the most important factor when assessing potential customers' security posture is their cloud security — cited by 40% of survey respondents — followed by security awareness (36%), application security (32%), vulnerability management (31%), privileged access management (31%), and patch management (30%).

One of the likely challenges in the market, Whitfield points out, is the high degree of hesitancy many organizations may have about handing over privileged information about the inner workings of their security posture. "No one wants to share their security information with anybody else because that creates a security risk, and it feels vulnerable to expose intimate information about your security posture to others," he says.

Worst case, there will be companies unable to get insurance because they can't provide sufficient information to get reasonably priced insurance, according to Whitfield.

"In those cases, they will have to do something more extreme, such as providing evidence, information, and hopefully work with their insurer to improve their security posture," Whitfield notes. "It's like any type of risk — the better the risk looks to the insurer, the better your premiums and the easier it will be to get insured. And it'll be no different in cyber."

**Cyber Insurance Market Waffles on Pricing**

The survey indicates that many insurers don't yet have the answer to how to price cybersecurity insurance: While 47% of total respondents said they are "very confident" in their underwriting process, 44% are only "somewhat confident."

"There's some conflicting results that show on the one hand, they're confident in their models, but on the other hand, they're not really confident that they understand how to price it," Whitfield explains. "This is going to evolve over time. But there needs to be an openness and awareness and a conversation with the market about how to do this."

Complicating matters is that the past is never a good predictor when it comes to cybersecurity. "For some kind of risks, the past can give you a good handle on what's going to happen in the future," he says. "In cyber, it's just not the case. We have active adversaries. We have new tools, techniques, and procedures to gain access to our environments, new malware, new applications. The past is no predictor of the future. And that's what makes it so difficult for them to price this."

Insurers and brokers are charging more for policies and setting higher requirements as they face an increasingly complex threat landscape that has taken on a global nature, while the frequency and severity of attacks are increasing.  

A Kaspersky study released in January 2022 and conducted in October 2021 indicated investing in cyber insurance is a growing proactive trend; 28% of respondents said their company annually invests anywhere from $25,000 to $50,000 per year.

From Whitfield's perspective, the outlook for cybersecurity threats is going to get worse before it gets better. "The risk to businesses has been increasing, and the number of breaches and the cost of a breach has been rising steadily in the last few years," he says.

So, how can the insurance industry both support business and make a return at the same time? It will take a partnership between the insured and the insurer, he explains. "I don't think it could be forced by one party or the other, and it needs to be settled with evidence rather than a questionnaire finding out what the opinion of an organization is about a security posture." 

That means insurers getting hard data about an organization's security posture, provided in an efficient, timely way, and with high-quality data that can be relied on. "That will be the real revolution in the cyber-insurance industry," Whitfield says.

Ransomware Scourge Drives Price Hikes in Cyber Insurance

The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.

As more organizations migrate their data, applications, and workloads to the cloud, securing the infrastructure remains a challenge. Security teams don't always know exactly what is happening within each cloud environment, making it difficult to detect when security policies are being violated.

That's the problem Paladin Cloud aims to solve with its security-as-code platform.

Paladin Cloud’s platform is intended to help developers and DevOps teams safeguard their applications and data, both in testing and production. It accomplishes this goal by providing teams with full visibility into the organization's various cloud services and systems. The platform includes a plug-in-based architecture that helps developers connect to and ingest data from sources including code repositories, threat intelligence systems, container scanning, API gateways, and cloud-based enterprise systems such as Kubernetes.

Supported vendor systems include Qualys Vulnerability Assessment Platform, Bitbucket, Trend Micro Deep Security, Tripwire, Venafi Certificate Management, and Red Hat. Security teams can write rules based on data collected by these plugins to get a complete picture of the organization's cloud security posture.

"The platform discovers assets, evaluates policy, creates issues for policy violations, and prioritizes remediation," according to a page on Paladin Cloud's GitHub repository. If fixes for policy violations have already been defined, then the platform can go ahead and execute those actions to remediate the issues. This way, the platform provides automatic detection and remediation of violations, such as unauthorized access, misconfigured systems, and insecure APIs.

Organizations can also take advantage of the platform's extensible policy management to oversee hybrid clouds, where the data and applications are hosted on both public and private infrastructure.

Paladin Cloud lists various out-of-the-box features on its GitHub page, including continuous asset discovery, ability to search all discovered resources, custom policies and custom auto-fix actions, dynamic asset grouping to view compliance, exception management, OAuth2 support, and role-based access control.

The platform is now generally available for Amazon Web Services, Google Cloud, and Microsoft Azure. Along with announcing the platform's availability, the company announced a $3.3 million seed financing round.

Paladin Cloud Launches New Cloud Security and Governance Platform

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

Unsophisticated campaigns use off-the-shelf RATs and other tools to exfiltrate data and demand a ransom to keep it private.

A little social engineering and commercially available remote administration tools (RATs) and other software are all the new Luna Moth ransom group has needed to infiltrate victims' systems and extort payments.

The threat group is essentially pulling off ransom attacks without the ransomware, according to researchers at Sygnia, who today published their findings on Luna Moth.

With co-opted branding from Zoho Masterclass and Duolingo, Luna Moth launches a classic phishing campaign to compromise victim devices and exfiltrate any available data. Phishing emails request a payment for a subscription and offer a PDF attachment with a cell phone number to call for more information. When the victim calls to discuss the invoice, the call is answered by the threat actor, who will try to trick the victim into installing Atera, a widely available RAT, giving the attackers full device control.

The researchers observed Luna Moth abusing other off-the-shelf remote administration tools including Splashtop, Syncro, and AnyDesk for device takeover. In addition to RATs, commercially available tools like SoftPerfect Network Scanner, SharpShares, and Rclone were used to access and exfiltrate data, the researchers added.

"The tools are stored on compromised machines under false names masquerading as legitimate binaries," Sygnia said it in its report on Luna Moth. "These tools, in addition to the RATs, provide the threat actors with the means to conduct basic reconnaissance activities, access additional available assets, and exfiltrate data from compromised networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Luna Moth' Group Ransoms Data Without the Ransomware

Fraudster innovation will continue to drive successful phishing, business email compromise, and socially engineered attacks, researchers say.

Despite ratcheted-up efforts to prevent account takeover, fraudsters are cashing in on a range of online payment fraud schemes, which researchers predict will cost retail organizations more than $343 billion over the next five years. 

Physical good purchases are loss leaders, making up 49% of online payment fraud, driven in large part by developing markets with little address verification, according to a new Juniper Research report. 

"Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution," Nick Maynard, the report's author, explained in a statement along with the latest online payment fraud findings. "Payment fraud detection and prevention vendors must build a multitude of verification capabilities, and intelligently orchestrate different solutions depending on circumstances, in order to correctly protect both merchants and users." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Online Payment Fraud Expected to Cost $343B Over Next 5 Years

**LONDON, 11 July, 2022 –** Global research and advisory firm Omdia today unveils its Data Center Thermal Management and Sustainability Intelligence Service. The new annual service offers technology manufacturers, vendors and service providers comprehensive insight and analysis of sustainable data center practices and strategies, with a focus on new technologies such as liquid cooling and energy storage.

Increasing compute requirements continue to drive data center development requiring new approaches to thermal management. At the same time, data center operators and end-users are looking for data centers with sustainability credentials and are making purchasing decisions based on the presence of practices that reduce greenhouse gas emissions.

“While the use of air-cooled equipment dominates data centers today, liquid cooling solutions are gaining interest because they improve the power-to-cooling ratio, address new workload needs and help to achieve sustainability goals. Omdia predicts the liquid cooling market will top $1 billion in 2025,” said Moises Levy, PhD, Senior Principal Analyst, Data Center Physical Infrastructure, Omdia.

Levy added, “The data center thermal management market, which includes the liquid cooling market, is on track to reach $7.7 billion by 2025. The adoption of hybrid solutions involving air and liquid cooling will continue to increase globally in data centers, driven by energy consumption concerns and sustainability goals.”

Through market trends, surveys and reports as well as analyst insights and briefings, the Data Center Thermal Management and Sustainability Intelligence Service will help to:

*   Understand data center investment enabling sustainability
*   Compare and contrast the actions and practices of data center operators
*   Outline ways to improve resource efficiency
*   Offer thermal management strategies and insights into strategy evolution
*   Follow key trends such as AI-based analytics for data center management, equipment renewal, reuse and more

To learn more about the Data Center Thermal Management and Sustainability Intelligence Service please click here.

**ABOUT OMDIA**

Omdia is a leading research and advisory group focused on the technology industry. With clients operating in over 120 countries, Omdia provides market-critical data, analysis, advice, and custom consulting.

Omdia was formed in 2020 following the merger of IHS Markit, Tractica, Ovum and Heavy Reading. Sitting at the heart of the Informa Tech portfolio, Omdia reaches over four million technology decision makers, influencers and practitioners that form part of the wider Informa Tech community and has specialist research practices focusing on Enterprise IT, AI, Internet of Things, Communications Service Providers, Cybersecurity, Components & Devices, Media & Entertainment and Government & Manufacturing.

Omdia: Sustainability Ranks Top on Data Center Operators’ Agendas Despite Cost and Reliability Barriers

The new guidelines would require public companies to file periodic disclosures about their cybersecurity practices and notify the SEC within 96 hours of a material breach.

New cyber-risk management rules for third-party service providers and beefed-up public company disclosures could have far-reaching effects on financial services firms and others that must comply with SEC regulations, requiring senior management to ensure that their companies upgrade their cybersecurity detection and response times significantly. The proposals, issued by SEC Chair Gary Gensler earlier this year, effectively replace the 2018 guidance on how to handle and disclose cyber-risk.

The proposed rules call for data breaches to be disclosed within four days, as well as for companies to disclose information such as senior management's and the board's roles in and oversight of cybersecurity risks, whether companies have cybersecurity policies and procedures, and how cybersecurity risks and incidents are likely to impact the company's financials, according to Gensler.

"When companies have an obligation to disclose material information to investors, they must be complete and accurate. Their disclosures also should be timely," Gensler said.

Jeff Williams, co-founder and chief technology officer at application security platform provider Contrast Security, is in favor of the new rules. 

"The proposed cybersecurity rules are a big and welcome step forward for cybersecurity transparency," he says, adding that they could go even further. "The primary focus is on breach disclosure and not vulnerability disclosure, which I believe is missing the mark on what will truly deliver better cybersecurity to consumers and investors."  

Steven Yadegari, CEO of FiSolve, a consulting firm that specializes in legal, compliance, and operations for financial services firms and asset managers, also points out that the proposed rules "contain more prescriptive requirements compared to existing SEC cybersecurity guidance and rules related to safeguarding information and would require most registered advisers to implement specific, considerable enhancements to their cybersecurity programs."

**Four Days to File**

A fact sheet from the SEC notes that organizations must disclose information about "a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident." However, the rule states, if a company determines that the impact of a breach is significantly different from originally disclosed in its 8-K filing, an amended 8-K might be required. Text of the proposed rule can be found here.

The 96-hour disclosure window is one day longer than that provided by the European Union's General Data Protection Regulation (GDPR), the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed by U.S. President Joe Biden in March, and the New York Department of Financial Services Cybersecurity Regulation, all of which have 72-hour breach notification periods.

Jason Hicks, field CISO at the cybersecurity consulting firm Coalfire, says one of the more controversial aspects of the new regulation — the 96-hour time requirement for a company to disclose the breach — might not be as draconian as many initially believed. 

"The compressed four-day time line jumped out at me, but if you read the fine print, the agency is allowing an indeterminate amount of time to investigate the incident and determine if it is, indeed, material," Hicks says. "However, you are still likely to find yourself making public disclosure before you've completed your entire incident response process."  

The law firm Woodruff Sawyer analyzed the proposed regulation and cited one word that could take the bite out of the apparent extreme nature. 

"Note that the word 'jeopardizes' could be taken to mean that some harm might take place, as opposed to actually taking place," the firm wrote in its published response. "The contingent nature of such disclosure is unlikely to be useful to investors, a point expressed well by the Davis Polk comment letter on the proposed rules."

**Boards Take Responsibility**

The Davis Polk letter, written to the SEC as part of the public request for comments, also questions whether board members need to have cybersecurity expertise. Instead, the firm expects boards to continue to exercise oversight. The question of a board of directors' responsibility for cybersecurity efforts and their personal liability for data breaches has been the subject of other compliance regulations and laws in recent years; this is simply the latest that would put cybersecurity responsibility at the board level.

Marcus Astin, chief operating officer and the governance, risk, and compliance officer at clothier Pala Leather, says he welcomes the new cybersecurity rules.

"They position me and my team to take a more proactive role in cybersecurity risk management," Astin says. "We will be able to identify risks, plan for their execution, and measure the effectiveness of our programs. The new standards are a great opportunity for us to elevate ourselves from reactive risk detection to a more integrated approach."

Adds Yadegari: "We have already seen many firms of all sizes look for help from outside experts. This is a sign of how seriously the industry takes these issues. Whether the proposed rules are adopted or not, I think we will see boards interested in receiving professional advice from experts knowledgeable about cybersecurity, third-party risk management, and GRC. As attacks and technology become increasingly sophisticated, this need only becomes more important to board members and management."

Proposed SEC Rules Require More Transparency About Cyber-Risk

Proactive steps in recruiting women to cybersecurity teams, along with policies focused on diversity, equity, and inclusion, help make cybersecurity teams more effective. Addressing specific barriers that female candidates face will make those teams more inclusive and more representative.

From creating secure environments for hybrid work models to designing safer cloud infrastructures for data security, there is a constant need to solve cybersecurity problems from various domains and standpoints. However, to solve these problems effectively, organizations and governments alike need the right teams.

Nurturing highly effective cybersecurity teams has become a priority for all organizations, and today, an effective cybersecurity team is one that is inclusive of diverse perspectives, particularly those of women.

Research has shown that teams made up of diverse people with various backgrounds, skills, and genders almost always perform better than homogeneous teams. Yet, women are still greatly outranked by men in the cybersecurity space.

While organizations have implemented initiatives like diversity or equality programs, they don't address the specific barriers that female candidates face during recruitment or the problems women face in the cybersecurity workplace, all of which affect the overall productivity and effectiveness of a security team.

This means that organizations need to take more proactive steps in recruiting women into their cybersecurity teams, such as properly implementing policies focused on diversity, equity, and inclusion, and ensuring that they address the barriers qualified candidates face while entering and working in the industry.

**Barriers in the Recruitment Process**

One of the major challenges faced by women is at the recruitment stage. A lot of companies look for people who have specialized, IT-based qualifications for most cybersecurity roles. But cybersecurity isn't an isolated domain, restricted only to IT practitioners. It affects all domains and is influenced primarily by human behavior. Most of the attacks that have happened in recent times are a result of erroneous human behavior and social engineering. The best way to mitigate threats that occur because of human error is to open specialized, isolated security teams to varied perspectives.

Hiring generalists (i.e., candidates who don't have a cybersecurity background) ensures that organizations explore the maximum possible number of user reactions to a cybersecurity product, program, protocol, or any situation that demands caution and awareness from the user's end, leading to an increase in the effectiveness of any team. With the increasing number of vacancies in the industry and the limited number of specialists out there to fill them, filtering candidates who don't have specialized cybersecurity knowledge negates a huge chunk of diverse talent that could help fill the gap. Organizations must consider hiring for entry-level positions based on potential to perform well and add value to cybersecurity teams rather than only considering specialized IT-based competencies. By opening such roles to a whole new set of people, including women, organizations stand to gain better results.

When organizations resort to hiring esoteric profiles, they restrict cybersecurity product or service teams from considering factors beyond homogeneous perspectives while trying to determine possible anomalies in user behavior. Users and attackers will be from various backgrounds, genders, races, and ethnicities. Having a diverse cybersecurity team can help bring about a vivid understanding of user psychology and plug possible loopholes right from the outset. This is possible due to the various life experiences and thought processes a diverse team will bring to the table. This will in turn help predict possible anomalous behavior of users, and set the right detection rules.

**Fostering Inclusive Cybersecurity Teams Through Better HR Practices**

Organizations can make cybersecurity recruitment more inclusive by implementing best practices that specifically address issues that women face.

Tackling preconceived notions that recruiters have while hiring women, and avoiding the age-old question of work-life balance that all women face, would be a good place to start. This goes both ways. Some aspirants have a similar prejudice when it comes to the roles they believe exist in the cybersecurity field. When they think cybersecurity, they see an image of a man wearing a hoodie and hacking systems. This prevents them from exploring the wide range of opportunities the field has to offer, such as governance, risk, and compliance; incident management and response; and SOC teams.

There's a need for awareness among candidates aspiring to enter the cybersecurity industry. Addressing this is the joint responsibility of the organizations that run the industry and of the academic institutions that educate and train the candidates who constitute the workforce.

Despite women constituting a major part of the tech workforce, the challenges they face while entering the cybersecurity domain and once they are in the workplace continue to exist. It's time organizations address these challenges to provide a safer, more inclusive workplace for women, which in turn will benefit the productivity of their teams and ultimately improve the organization's security posture.

Diversity in Cybersecurity: Fostering Gender-Inclusive Teams That Perform Better

Scams pressure victims to "resolve an issue that could impact their status, business."

A recent wave of social media phishing schemes doubles down on aggressive scare tactics with phony account-abuse accusations to coerce victims into handing over their login details.

Last week alone, Malwarebytes Labs uncovered two phishing scams, targeting Twitter and Discord (a voice, video, and text chat app). The Twitter phishing scam sends users a direct message (DM) flagging their account for use of hate speech and requesting the user authenticate the account to avoid a suspension. Users are then redirected to a fake "Twitter help center," which asks for the user's login credentials.

The Discord phishing campaign sends users a message from friends or strangers accusing the user of sending explicit photos that are exposed on a server. The message includes a link to the purported server, and if the user wants to follow the link, they are asked to log in via QR code. If they do, the account will most likely be taken over by scammers, according to Malwarebytes. The message then gets sent to the user's friends from his or her account, perpetuating the phishing scam.

Patrick Harr, CEO at SlashNext, an anti-phishing company, says the Twitter and Discord attacks are a clever twist on the traditional social engineering scam to steal credentials. The best social engineering scams use fear or outrage to move the victim to act quickly without taking too much time to think "Is this a phishing scam?," he explains.

"In both cases, the users of Twitter and Discord are motivated to resolve an issue that could impact their status, business, or entertainment, which is why this phish is so effective," he notes.

Social media platforms are perpetual targets of phishing campaigns, using psychological manipulation to encourage victims to disclose confidential login credentials. The pilfered information is then used by malicious actors to hijack the user's social media accounts, or even gain access to their bank accounts.

But more importantly for enterprises, successful social media attacks on their employees can open the door to infiltration to the company network via the user’s infected device or abused credentials. "This means companies need a BYOD strategy that includes multichannel phishing and malware protection to protect social, gaming, and all messaging apps," Harr says.

**Fear and Urgency as Phishing Tools**

James McQuiggan, security awareness advocate at KnowBe4, explains social media phishes are effective because they use fear and urgency to get the victim to take an action they might not otherwise take. "A lot of the time, phishing attacks rely on the victim reacting to the email in an emotional state," he says. "The victim sees the email and responds without adequately checking the sender or the link."

An example is the threat of the social media account being suspended or a notice that the password has expired. When the victim clicks the link and visits the fake website, it looks exactly like the login page, and the user enters their credentials.

And if the user employs multifactor authentication (MFA) with the account, he says, the attacker can copy that session key to bypass the login and automatically gain access before the victim realizes it.

Attackers typically create high-pressure situations to increase their success rates. "If the target doesn't have time to think or feels pressured to act, they will likely overlook any red flags or gut reactions telling them not to engage," says Hank Schless, senior manager of security solutions at Lookout.

In the two incidents involving Discord and Twitter, Schless says, the attackers went for the integrity of the individual. "The public shame associated with hate speech or inappropriate behavior can be enough to get someone to act without thinking," he says.

**Remote Workforce Susceptible to Phishing**

McQuiggan points out remote workers have less in-person interaction with people around them and are less likely to share the experience or event with their co-workers sitting next to them.

"Suppose the organization isn't providing them with equipment from the organization," he says. "In that case, they will certainly be using their own devices and are more relaxed with them at home than with a machine from their organization."

It's not hard for cybercriminals to search LinkedIn or Twitter to see which users work for the public relations, marketing, or communications teams and then work to target them. He says spear-phishing is a top attack vector to get employees to click the links and "open the electronic front door" of the organization.

SlashNext’s Harr says training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work life. "However, we hear from customers that making policy adjustments restricting employees' use of mobile, social, or other personal apps is not well-received," he says. "In fact, asking employees to install managed security on their personal devices is also a non-starter."

McQuiggan says additional training is certainly one method of getting users aware of the various social media attacks. "Avoid relying on the links in the email and use it as an alert to check the account," he adds. "Use the application or a browser to log in and verify if an account is wrong or experiencing problems, as mentioned in the phishing email."

Organizations should employ mobile phishing protection across their entire user base — to both corporate-owned and personal devices, Schless recommends.

"Phishing credentials on mobile devices is typically how attackers can gain discreet access to the broader infrastructure and execute more advanced attacks like ransomware," he explains. "Protection against those more advanced attacks requires visibility into how users are accessing apps and data, then how they interact with that data."

**Phishing Attacks Just Won't Die**

Schless is also seeing a recent increase in voice phishing (vishing) and QR code phishing. "There could also be broader use of deepfake technology to impersonate an individual's voice or face in order to make the malicious communication even more convincing," he says.

Harr says social engineering phishing scams continue to be a serious problem for organizations. "We have seen an increase in requests for SMS and messaging protection as business text compromise, like its cousin business email compromise, is becoming a growing problem for an organization to detect and block."

Source

DARKReading