Insights into the financial and operational implications of having backups compromised in a ransomware attack.

There are two main ways to recover encrypted data in a ransomware attack: restoring from backups and paying the ransom. Compromising an organization’s backups enables adversaries to restrict their victim’s ability to recover encrypted data and dial-up the pressure to pay the ransom.

This analysis explores the impact of backup compromise on the business and operational outcomes of a ransomware attack. It also shines light on the frequency of successful backup compromise across a range of industries.

The findings are based on a vendor-agnostic survey commissioned by Sophos of 2,974 IT/cybersecurity professionals whose organizations had been hit by ransomware in the last year. Conducted by independent research agency Vanson Bourne in early 2024, the study reflects respondents’ experiences over the previous 12 months.

Executive summary

The analysis makes clear that financial and operational implications of having backups compromised in a ransomware attack are immense. When attackers succeed in compromising backups, an organization is almost twice as likely to pay the ransom and incurs an overall recovery bill that is eight times higher than for those whose backups are not impacted.

Detecting and stopping malicious actors before your backups are compromised enables you to reduce considerably the impact of a ransomware attack on your organization. Investing in preventing backup compromise both elevates your ransomware resilience while also lowering the overall Total Cost of Ownership (TCO) of cybersecurity.

Download the report PDF

Learning 1: Ransomware actors almost always attempt to compromise your backups

94% of organizations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack. This rose to 99% in both state and local government, and the media, leisure and entertainment sector. The lowest rate of attempted compromise was reported by distribution and transport, however even here more than eight in ten (82%) organizations hit by ransomware said the attackers tried to access their backups.

Learning 2: Backup compromise success rate varies greatly by industry

Across all sectors, 57% of backup compromise attempts were successful, meaning that adversaries were able to impact the ransomware recovery operations of over half of their victims. Interestingly, the analysis revealed considerable variation in adversary success rate by sector:

• Attackers were most likely to successfully compromise their victims’ backups in the energy, oil/gas, and utilities (79% success rate) and education (71% success rate) sectors
• Conversely, IT, technology and telecoms (30% success rate) and retail (47% success rate) reported the lowest rates of successful backup compromise

There are several possible reasons behind the differing success rates. It may be that IT, telecoms and technology had stronger backup protection in place to start with so was better able to resist the attack. They may also be more effective at detecting and stopping attempted compromise before the attackers could succeed. Conversely, the energy, oil/gas and utilities sector may have experienced a higher percentage of very advanced attacks. Whatever the cause, the impact can be considerable.

Learning 3: Ransom demands and payments double when backups are compromised

Data encryption

Organizations whose backups were compromised were 63% more likely to have data encrypted than those that didn’t: 85% of organizations with compromised backups said that the attackers were able to encrypt their data compared with 52% of those whose backups were not impacted. The higher encryption rate may be indicative of weaker overall cyber resilience which leaves organizations less able to defend against all stages of the ransomware attack.

Ransom demand

Victims whose backups were compromised received ransom demands that were, on average, more than double that of those whose backups weren’t impacted, with the median ransom demands coming in at $2.3M (backups compromised) and $1M (backups not compromised) respectively. It is likely that adversaries feel that they are in a stronger position if they compromise backups and so are able to demand a higher payment.

Ransom payment rate

Organizations whose backups were compromised were almost twice as likely to pay the ransom to recover encrypted data than those whose backups were not impacted (67% vs. 36%).

Ransom payment amount

The median ransom payment by organizations whose backups were compromised was $2M, almost double that of those whose backups remained intact ($1.062M). They were also less able to negotiate down the ransom payment, with those whose backups were compromised paying, on average, 98% of the sum demanded. Those whose backups weren’t compromised were able to reduce the payment to 82% of the demand.

Learning 4: Ransomware recovery costs are 8X higher when backups are compromised

Not all ransomware attacks result in a ransom being paid. Even when they do, ransom payments are just part of the overall recovery costs when dealing with a ransomware attack. Ransomware-led outages frequently have a considerable impact on day-to-day business transactions while the task of restoring IT systems is often complex and expensive.

The median overall ransomware recovery costs for organizations whose backups were compromised ($3M) came in eight times higher than that of organizations whose backups were not impacted ($375K). There are likely multiple reasons behind this difference, not least the additional work that is typically needed to restore from decrypted data rather than well-prepared backups. It may also be that weaker backup protection is indicative of less robust defenses and greater resulting rebuilding work needed.

Those whose backups were compromised also experienced considerably longer recovery time with just 26% fully recovered within a week compared with 46% of those whose backups were not impacted.

Recommendations

Backups are a key part of a holistic cyber risk reduction strategy. If your backups are accessible online, you should assume that adversaries will find them. Organizations would be wise to:

• Take regular backups and store in multiple locations. Be sure to add MFA (multi-factor authentication) to your cloud backup accounts to help prevent attackers from gaining access.
• Practice recovering from backups. The more fluent you are in the restoration process, the quicker and easier it will be to recover from an attack.
• Secure your backups. Monitor for and respond to suspicious activity around your backups as it may be an indicator that adversaries are attempting to compromise them.

How Sophos can help

Sophos MDR: Over 500 experts monitoring and defending your organization

Sophos MDR is a 24/7 expert-led managed detection and response service that specializes in stopping advanced attacks that technology alone cannot prevent. It extends your IT/security team with over 500 specialists who monitor your environment, detecting, investigating, and responding to suspicious activities and alerts.

Sophos MDR analysts leverage telemetry from the security tools you already use – including your backup and recovery solution – to detect and neutralize attacks before damage is done. With an average threat response time of just 38 minutes, Sophos MDR works faster than your next threat.

Sophos XDR: Enabling IT teams to detect and respond to attacks

In-house teams can use Sophos XDR to get the visibility, insights, and tools they need to detect, investigate, and respond to multi-stage threats, across all key attack vectors, in the shortest time. With Sophos XDR you can leverage telemetry from your backup and recovery solution, as well as your wider security stack, to quickly see and respond to attacks.

Source: Sophos

Sophos’ market-leading Managed Detection and Response offering continues to go from strength to strength, with over 20,000 organizations worldwide now protected by the service.  

Industry analysts agree. We are delighted to announce that Sophos has been named a Leader by Frost & Sullivan in their 2024 Frost Radar™ report for Global Managed Detection and Response.

According to Frost & Sullivan, Sophos stands out as an MDR leader for:

Flexibility

Citing Sophos’ expansive integrations with both native and third-party technologies, the report also highlights the flexibility of our MDR response modes and subscription tiers.

Support for Microsoft Environments

The evaluation calls out Sophos’ ability to deliver MDR services for Microsoft environments as an advantage, with the expertise to investigate and respond to Microsoft security alerts across endpoint, cloud, and identity sources, among others.

Unlimited Incident Response

Frost & Sullivan highlights a powerful differentiator of Sophos MDR: “To go a step beyond the traditional functionalities and responsibilities of MDR platforms, Sophos delivers unmetered incident response services as part of its core offering”.

Rapid Growth

Acknowledging our success in the market, the report notes that Sophos is “growing faster than average in the already fast-growing MDR market”, thanks to our channel-best approach and thought leadership.

Download the full Frost & Sullivan Report

Continued Industry Recognition

Sophos MDR continues to garner high praise from experts across the industry. In addition to this Frost & Sullivan recognition, Sophos is proud to be:

• A Gartner Peer Insights Customers’ Choice for Managed Detection and Response
• Rated the Number 1 MDR solution by customers in the G2 Winter 2024 Grid Reports
• Named a Representative Vendor in the Gartner Market Guide for Managed Detection and Response Services

Check out our full range of independent accolades and endorsements on Sophos.com.

To learn more about Sophos MDR,  or speak to your Sophos representative or partner.

Source: Sophos

We are delighted to announce that Sophos has been named a Leader in the IDC MarketScape: Worldwide Modern Endpoint Security for Small Businesses 2024 Vendor Assessment (doc #US50521424, March 2024). This recognition comes on the heels of Sophos also being named a Leader in the IDC MarketScape: Worldwide Modern Endpoint Security for Midsize Businesses 2024 Vendor Assessment (doc #US50521323, February 2024).

The IDC MarketScape study evaluates modern endpoint security vendors’ prevention, EDR, and MDR capabilities and business strategies, with a specific focus on the requirements of small businesses.

According to the IDC MarketScape evaluation, “Sophos is a strong consideration for small businesses, particularly those with large business security requirements that have little to no in-house security expertise.”  Read the excerpt

“Every organization, regardless of size, suffers from resource constraints. The stakes in cybersecurity, with small businesses in particular, are massive, and many of these companies are struggling to keep up,” said Michael Suby, research vice president, Security & Trust, IDC. “Sophos, with an expansive set of protection technologies and proven MDR service offering, is a great option to help a small business improve its security posture in whatever way fits best – either with the tools to help its experts in-house or by leveraging the expertise of the dedicated MDR security team.”

Trusted Managed Detection and Response Service

Cybersecurity is becoming so complex that most small businesses cannot keep up and need every advantage. Sophos delivers superior cybersecurity outcomes by giving customers the advantages they urgently need. Our 24/7 Managed Detection and Response service enables organizations to reduce the risks and costs associated with security incidents and data breaches that could potentially be catastrophic to small businesses.

The IDC MarketScape report notes: “Sophos MDR, already in use by over 20,000 Sophos customers, is a time-tested MDR service combined with Sophos’ engagements with cyber insurance providers delivers the confidence small businesses need to attain their endpoint security objectives without being security experts.” 

Innovative Protection Capabilities

Sophos delivers strong preventative security that significantly reduces the workload resource-stretched small businesses​. We believe our continued ‘protection-first’ strategy is a key contributor to Sophos’ position as a Leader in this evaluation.

We are constantly innovating to stay ahead of the evolving and expanding attack landscape. The IDC MarketScape assessment references Sophos’ expansive set of protection technologies provided as standard features in our endpoint security offering, and calls out some of our most recent innovations:

“Even with the most diligent efforts to deflect attackers, there are no guarantees that all manner of attacks can be thwarted. Addressing this potential, Sophos recently added several new capabilities: adaptive attack protection, critical attack warning, and data protection and recovery.” 

Get the excerpt

To learn more about why Sophos was named a Leader in the 2024 IDC MarketScape for Worldwide Modern Endpoint Security for Small Businesses, read the excerpt here.

Source: Sophos

Organizations should implement the principle of least privilege to protect their sensitive data from unauthorized access. To implement the principle of least privilege, organizations need to define roles and permissions, invest in a Privileged Access Management (PAM) solution, enforce MFA, automatically rotate credentials for privileged accounts, segment networks and regularly audit network privileges.

Continue reading to learn more about the principle of least privilege, why it is important and how your organization can implement it.

What Is the Principle of Least Privilege and Why Is It Important?

The Principle of Least Privilege (PoLP) is a cybersecurity concept in which users are granted just enough network access to data and systems to do their jobs, and no more. Least privilege access applies to users, processes, applications, systems and IoT devices. It prevents users from accessing resources they do not need and limits what they can do with the resources they do have access to.

Least privilege access is important because it:

• Reduces attack surface: Attack surface refers to the possible entry points where cybercriminals can access a system and steal data. By limiting privileges, organizations can reduce the possible entry points for unauthorized access and easily prevent any potential threats.
• Minimizes insider threats: Insider threats are cyber threats originating from within an organization when current or former employees, partners, contractors or vendors heighten the risk of sensitive data and systems becoming compromised. By limiting access, organizations can minimize insider threats from compromising sensitive data, whether by accident or intentionally.
• Prevents lateral movement: Lateral movement is when cybercriminals move deeper within an organization’s network after gaining initial access by escalating their privileges. Least privilege access prevents threat actors from moving laterally throughout a network. The cybercriminal will be restricted to the systems and data of the compromised account.
• Adheres to regulatory compliance: Least privilege access helps organizations protect sensitive data and adhere to regulatory and industry compliance frameworks such as GDPR, HIPAA and SOX.

6 Ways Organizations Can Implement the Principle of Least Privilege

The principle of least privilege will help organizations improve their security and protect their sensitive information from unauthorized access. Here are six ways organizations can implement the principle of least privilege.

Define roles and permissions

The first step of implementing the PoLP is to define roles and permissions. Organizations need to determine the level of access to specific sensitive data and systems – who should be accessing these resources, why they are accessing them and how long they should have access to them. They then need to define what role each member of the organization has and what permissions each member has based on their role. They should use Role-Based Access Control (RBAC) to help define roles and permissions.

RBAC grants specific network permissions based on a user’s defined role. Users will have limited network access to specific data and systems based on their role within the organization and what they need to do their jobs. They should not have access to any resources outside of their assigned job duties. RBAC restricts what users can do with a system or file they have access to. For example, marketing employees need access to customer data but not developer environments, and IT administrators need access to developer environments but not financial records.

Invest in a PAM solution

To help manage and keep track of privileged accounts, organizations need to invest in a PAM solution. PAM refers to securing and managing accounts with access to highly sensitive systems and data. These privileged accounts can range from local administrator accounts to non-human service accounts to privileged user accounts. With a PAM solution, organizations can implement least privilege access since they have full visibility into their entire data infrastructure and how much access users have to sensitive data. They can determine who can access privileged accounts and how much access each user should have. PAM solutions help prevent privileged accounts from being misused by insider threats and compromised by threat actors.

Enforce MFA

Multi-Factor Authentication (MFA) is a security protocol that requires additional authentication. To access a privileged account protected by MFA, authorized users must provide the login credentials to the account and an extra form of verification. Organizations need to enforce MFA on all privileged accounts to add an extra layer of security and ensure that only authorized users can access them. Even if the login credentials to the privileged account were compromised, cybercriminals could not access the account because it’s protected by MFA and they cannot provide additional authentication.

Automatically rotate credentials for privileged accounts

Password rotation is a cybersecurity practice in which passwords are regularly changed on a predetermined schedule. Organizations should use automated password rotation to protect privileged accounts from unauthorized access. Since privileged accounts provide access to sensitive information, organizations need to regularly change their passwords for these accounts. This locks out users who do not need access to the accounts anymore and prevents cybercriminals from cracking the passwords. Using automated password rotation ensures that privileged accounts are protected with strong and unique passwords after every rotation.

Segment networks

Network segmentation divides and isolates parts of an organization’s network to control access to sensitive information. These segments are divided based on the type of sensitive information stored and the users who need access. Segmentation limits access to the entire network and only allows users to access resources within their respective segments. It helps prevent cybercriminals who have gained unauthorized access to an organization’s network from moving laterally across the network because the cybercriminal is limited to only the network segment they accessed. To provide better security to their network, organizations can create micro-segments which are isolated parts of the network within a segmented network.

Regularly audit network privileges

Organizations need to regularly audit network privileges to ensure the right users have the necessary access they need to do their jobs and remove any users who do not need access to specific resources anymore. Regularly auditing network privileges and access prevents privilege creep, which is when users have accumulated higher levels of access than they need. It helps prevent misuse by potential insider threats and unauthorized access by cybercriminals.

Use Keeper® To Implement the Principle of Least Privilege

The best way to implement the principle of least privilege is with a PAM solution. With a PAM solution, organizations can see who has access to their network and limit user access to sensitive data. They can secure privileged accounts by ensuring employees are protecting them with strong and unique passwords and MFA.

KeeperPAM™ is a privileged access management solution that helps simplify privilege management by combining Keeper Enterprise Password Manager (EPM), Keeper Secrets Manager (KSM) and Keeper Connection Manager (KCM) into one, unified solution. With KeeperPAM, organizations can achieve complete visibility, security and control over every privileged user on every device.

Source: Keeper

Some of the benefits of using passphrases are that they’re easy to remember, difficult for cybercriminals to crack and they’re considered to be more secure than traditional passwords because of poor password habits. Some of the disadvantages of using passphrases are that some websites and apps may have low character limits, it’s impossible to remember passphrases for every single one of your accounts and they’re still vulnerable to being exposed in public data breaches.

Continue reading to learn more about passphrases and when you should use them to secure your online accounts and apps.

What Is a Passphrase?

A passphrase is a type of password that is created using a random combination of uncommonly used words. Since passphrases are created using words, they are generally longer, easier to remember and are considered to be more secure than using traditional passwords. Traditional passwords are often weak and are reused across multiple accounts because it’s difficult for individuals to remember multiple strong passwords.

While passphrases are considered to be more secure, there are still rules users should take into account when creating strong passphrases. A strong passphrase should have the following characteristics.

The Benefits of Using a Passphrase

Here are three benefits to using passphrases over traditional passwords.

Easy to remember

Because passphrases are made up of different words, they’re typically easier for users to remember, especially when you compare them to traditional passwords. For a traditional password to be strong, it has to be made of a variety of characters and be at least 16 characters long. A long, complex password isn’t as easy to remember as a long passphrase that contains a mix of characters.

Difficult for cybercriminals to crack or guess

The longer a passphrase is, the longer it takes for cybercriminals to guess or crack it. This is due to its password entropy. Password entropy is a mathematical equation that is used to determine whether it would be easy or hard for a cybercriminal to crack a password. Password entropy takes into account the variation of character length used in the password. Because passphrases are longer due to multiple words, their password entropy is greater, meaning they’re more difficult for cybercriminals to crack.

More secure than traditional passwords 

As mentioned above, when creating traditional passwords, many people resort to using weak passwords because they want to be able to remember them for multiple accounts. This often leads to password reuse, which places multiple accounts at risk of being compromised if a cybercriminal cracks just a single password that’s being reused. Using passphrases as passwords removes this risk since they’re both strong and easy for users to remember.

The Disadvantages of Using a Passphrase

Here are three primary disadvantages to using passphrases.

Some websites and applications have low character limits

The longer a passphrase is, the more secure it’s considered to be. However, using passphrases may not be possible on some websites and applications that have low character limits. This means users should instead use traditional strong passwords on these websites and apps to ensure that the password they’re creating cannot be easily guessed or cracked by cybercriminals. We suggest using a password generator to help you create these strong passwords.

You can’t remember passphrases for every single account

While passphrases are easier to remember than long, complex passwords, you won’t be able to remember them for every single account. The average person has 100 accounts, ranging from bank accounts to social media accounts, so even if you choose to use passphrases to protect every single one of them, it’ll be impossible to remember 100 passphrases on your own.

Still vulnerable to data breaches

While passwords – like passphrases – are meant to secure your online accounts from unauthorized access, they’re still vulnerable to data breaches. This is especially true for users who fail to also enable Multi-Factor Authentication (MFA) on their accounts. MFA adds an extra layer of security to your online accounts by requiring that a user verify who they are before being able to access their account. The more MFA methods enabled on an account, the more secure that account will be.

When public data breaches occur, whether or not a user’s password is strong doesn’t matter – all that matters is how that organization protects user information, which includes their credentials. If a user’s credentials aren’t secured, then their password is vulnerable to being exposed in a data breach.

When To Use a Passphrase

Passphrases are great to use in any instance where you only need to create passwords for a small number of accounts. The more accounts you use a passphrase on, the more passphrases you’ll have to rely on yourself to remember. Many people choose to use passphrases when creating a master password for an account, such as a password manager.

Password managers are tools that aid users in creating, managing and securely storing their sensitive data, such as the logins to their online accounts, credit card details and sensitive files. Password managers remove the need for users to remember multiple passwords and instead, users only have to create and remember one master password. This password should be both strong and easy for the user to remember, so it’s the perfect instance to use a strong passphrase.

Passphrases Are Easy To Remember and Secure

Passphrases are a great way to create passwords that are both strong and easy to remember. However, even though you’ll be able to remember one or two passphrases easily, it’ll be impossible to remember a passphrase for every single one of your accounts. A password manager like Keeper® can help. Keeper helps users create, store and manage the logins for every one of their accounts. Keeper also stores Two-Factor Authentication (2FA) codes, to make securing accounts with MFA a lot easier.

Ready to see how Keeper Password Manager can help you secure your online accounts? Start a free 30-day trial today.

Source: Keeper

Organizations using Veeam Backup and Replication can now strengthen their defenses against ransomware with Sophos MDR and Sophos XDR. Read on to learn how Sophos’ new integration with Veeam delivers better visibility to detect and stop threats targeting backup data.

Backup and recovery are integral parts of a holistic cybersecurity strategy. Adversaries attempt to tamper with backup solutions to prevent recovery from ransomware attacks – early detection of this malicious activity is critical.

Sophos’ new integration with Veeam seamlessly exchanges security information when a threat emerges, extending visibility to help detect, investigate, and respond to active attacks.

This powerful new partnership provides peace of mind that backup data is always available and protected, enabling organizations to detect threats, investigate suspicious activity, and ultimately recover data quickly.

With Sophos and Veeam, organizations can ensure the integrity and availability of backups, reducing the risk of data loss due to malware, accidental deletion, internal security threats, and other data loss scenarios.

• The Sophos MDR service provides 24/7 security monitoring, filters out redundant alerts, and investigates threats to Veeam environments, like attempts to delete backup repositories, disable multi-factor authentication, delete encryption passwords, and more.
  
• Organizations using the Sophos XDR solution for in-house investigation and response can also integrate Veeam telemetry to identify potentially malicious activity, combined with threat detections from other sources in a single unified platform and console.

The strongest protection against ransomware attacks

The Sophos XDR solution and the Sophos MDR service include industry-leading CryptoGuard technology that universally detects and stops ransomware before it impacts customers’ systems, including new variants and local and remote encryption.

Sophos’ superior prevention, detection, and response capabilities, combined with immutable backups and versioning provided by Veeam, ensure backup data remains secure and recoverable.

Elevate your defenses with Sophos’ new Veeam integration

The new Veeam integration is now available as an add-on for Sophos MDR and Sophos XDR subscriptions via a new “Backup and Recovery” Integration Pack license.

To learn more and explore how Sophos MDR and Sophos XDR can help your organization better defend against active adversaries, including attacks that target your backup repositories, speak with a Sophos adviser or your Sophos partner.

Already a Sophos MDR or Sophos XDR customer? Activate the Veeam integration in your Sophos Central console today.

Source: Sophos

The IDC MarketScape study evaluates endpoint security vendors’ prevention, EDR, and MDR capabilities and business strategies.

We are delighted to announce that Sophos has been named a Leader in the IDC MarketScape: Worldwide Modern Endpoint Security for Midsize Businesses 2024 Vendor Assessment.

This IDC MarketScape evaluates vendors based on how their endpoint prevention, EDR, and MDR capabilities meet the needs of organizations with 100 – 2,499 employees.

According to the IDC MarketScape evaluation, “Sophos should be a strong consideration for midsize businesses seeking to reduce their number of core security vendors without sacrificing security efficacy”. Read the excerpt

“With their professional and managed security services, expanded product set, and ability to integrate with existing security investments, it’s clear that Sophos understands the needs and challenges of a midsize business,” said Michael Suby, research vice president, Security & Trust, IDC. “Sophos’s comprehensive approach from prevention through recovery places Sophos on the shortlist of midsize businesses looking for an established and effective partner for security.”

Protection-first approach

We believe our continued focus on preventative security is a key contributor to Sophos’ position as a Leader in this evaluation. It provides a robust foundation for the Sophos XDR solution and the Sophos MDR service. Sophos delivers strong threat protection to significantly reduce the detection and response workload for IT admins and security analysts​.

The IDC MarketScape notes, “Sophos recently added several new capabilities: adaptive attack protection, critical attack warning, and data protection and recovery. Adaptive attack protection, introduced in early 2023, is a demonstration of Sophos’ means to disrupt hands-on-keyboard attackers while minimizing potential disruption to legitimate operations.”

The report also notes, “Sophos includes an expansive set of protection technologies (host-based firewall and IDS/IPS, device control, DLP, and encryption) as standard features in its endpoint security offering.”

Extensive and compatible security platform and ecosystem

The Sophos security platform combines an expansive portfolio of products and managed security services with compatibility with an extensive suite of third-party solutions. Organizations can detect and respond to threats using a single unified platform, leveraging the technology they need from Sophos or connecting their existing cybersecurity technologies.

“For the many midsize businesses and VARs serving midsized business that are struggling with SecOps staffing and maturity, Sophos offers the means to overcome this challenge without forcing a full vendor swap.”

We continue to expand and diversify strategic and technology partnerships to enable organizations to reduce cyber risk further. Recognizing this approach, the IDC MarketScape refers to our expanded partnerships with cyber insurance providers, helping midsize businesses address potential challenges in seeking insurance coverage.

Get the excerpt

To learn more about why Sophos was named a Leader in the 2024 IDC MarketScape for Worldwide Modern Endpoint Security for Midsize Businesses, read the excerpt here.

Additional Sophos customer and analyst validation

Sophos’ recognition as a Leader in this IDC MarketScape comes on the heels of multiple customer endorsements and third-party validations, including: ​

• Sophos named a Leader in the Gartner MQ for EPP for the 14th consecutive report​
• Sophos named a Leader for Endpoint Protection, EDR, XDR, Firewall, and MDR in G2’s Winter 2024 (December 2023) Reports​
• Sophos earning a 100% Total Protection score in SE Labs’ Q4 2023 Enterprise Endpoint Security and Small Business tests​
• Sophos named Gartner Customers’ Choice for EPP for the second consecutive year​
• Sophos named Gartner Customers’ Choice for MDR in Gartner’s first-ever report in the segment​

Source: Sophos

Your data that’s stored with an organization you trusted could become exposed due to a targeted cyber attack or data breach. If your data was part of a public data breach, you need to change any compromised passwords, monitor your accounts for suspicious activity, freeze your credit and notify any relevant parties of the data breach.

Continue reading to learn more about data breaches, how to recover from a data breach and how to prevent future data breaches from happening.

What Is a Data Breach?

A data breach is when sensitive data of a user or organization is accessed, stolen and used by unauthorized users. Cybercriminals can access sensitive data when it is accidentally exposed due to human error or through vulnerabilities in data infrastructure. They can also steal sensitive data by targeting a user or organization with a cyber attack. Data breaches can lead to identity theft in which threat actors steal a victim’s Personally Identifiable Information (PII) and impersonate them to commit fraud.

Data breaches are often the result of data leaks, targeted cyber attacks or malicious insider threats.

• Data leaks: Sensitive data unintentionally exposed from within an organization. Data leaks are often the result of human error and can be the result of accidentally revealing sensitive information to the public, an internal user having unauthorized access to sensitive data or improperly storing sensitive data.
• Targeted cyber attacks: Attacks on computers, networks or systems by cybercriminals in an attempt to steal sensitive information. Cybercriminals exploit a user or organization’s security vulnerabilities such as software bugs or weak cybersecurity practices. They exploit these vulnerabilities to gain unauthorized access and steal sensitive data.
• Malicious insider threat: A cyber threat that happens within an organization. They occur when current or former employees, partners, contractors or vendors intentionally expose or steal sensitive data for malicious purposes.

How To Recover From a Data Breach

If you received a notification that your sensitive data has been exposed in a data breach, you need to act quickly to identify the impact of the data breach and mitigate the impact. The first step is to identify what information of yours was exposed in the data breach. Once you have identified the information that was exposed, you can take the necessary steps to contain the damage and mitigate the effects of the data breach. Here are the steps to recover from a data breach.

Change any compromised passwords

When you have determined what sensitive information was revealed in a data breach, you need to change any compromised passwords for the accounts associated with it. You should create new and unique passwords that are difficult to guess. To easily change compromised passwords, you should use a password manager.

A password manager is a tool that securely stores and manages your personal information, such as your passwords, in a digital encrypted vault. With a password manager, you have access to all of your passwords and can use it to help change them with the built-in password generator.

Monitor accounts for suspicious activity

After you have changed the compromised passwords, you need to monitor your accounts for any suspicious activity to determine if cybercriminals still have access. Look for any suspicious activity such as:

• Fraudulent charges
• Additional debt
• Unknown logged-in devices
• Changes in security settings
• Failed login attempts
• Unfamiliar messages
• Unauthorized applications for loans

Freeze your credit

Cybercriminals can use your sensitive information to apply for loans or open lines of credit under your name, which can hurt your credit and leave you with large amounts of debt. If your sensitive information was exposed in a data breach, you need to individually freeze your credit with each of the three credit bureaus – Experian, TransUnion and Equifax. If you fail to contact all three of the credit bureaus, then a cybercriminal can still apply for a loan under your name.

If you are afraid your leaked information could lead to identity theft, you should apply for a fraud alert. A fraud alert is a free notice that you can add to your credit report that requires you to verify your identity before you’re able to take out a loan under your name. It protects you from identity theft and helps to ensure that only you can take out loans or open lines of credit under your name. To place a fraud alert, you would need to contact one of the credit bureaus.

Notify any relevant parties

Depending on the sensitive information revealed in the data breach, you need to notify any relevant parties of the data breach. For example, if your credit card information is exposed, you should contact the bank to cancel the card and get a new one. Contact your social network if your online accounts were compromised as they can be used for phishing attacks. If your company’s data was exposed, contact your company to inform them, so they can take the proper steps to handle the security breach.

How To Prevent Future Data Breaches

Although you may have taken the right steps to recover from a data breach, cybercriminals may try to retarget you for future cyber attacks to steal your information. You need to take precautionary measures to prevent future data breaches. Here are the ways to prevent future data breaches.

Use strong and unique passwords

You need to use strong and unique passwords to protect your online accounts from cybercriminals. By using unique passwords for each of your accounts, you can prevent cybercriminals from executing credential stuffing attacks and compromising multiple accounts. Strong passwords make it difficult for cybercriminals to guess and crack your passwords.

Strong and unique passwords protect your accounts that hold sensitive information. You should create passwords that are at least 16 characters long. Each password should have a unique and random combination of uppercase and lowercase letters, numbers and special characters. You should avoid including personal information, sequential numbers or letters and commonly used dictionary words when creating passwords.

Enable MFA

Multi-Factor Authentication (MFA) is a security protocol that requires users to provide additional forms of authentication to gain access to their accounts. With MFA enabled, you need to provide your login credentials along with an additional form of identification to access your accounts. MFA provides an extra layer of security by ensuring only authorized users are allowed access to your accounts. Even if your login credentials were compromised, cybercriminals would not be able to access your accounts since they wouldn’t be able to provide the additional authentication.

Keep your software up to date

Cybercriminals will try to exploit security vulnerabilities of outdated software that allow them to bypass security measures and install malware. You should regularly update your software to patch any security flaws and add security features that better protect your device. Keeping your software up to date will help prevent cybercriminals from accessing your data.

Reduce your attack surface

An attack surface refers to all of the possible entry points where cybercriminals can access a system and steal data. A large attack surface makes it harder to manage the various points where a cybercriminal can attack you and gain unauthorized access to your sensitive information. Reducing your attack surface will limit the opportunities a cybercriminal has to attack you. You can reduce your attack surface by deleting inactive accounts, getting rid of unnecessary applications, strengthening login credentials and updating your software.

Stay educated about cyber attacks

Cybercriminals are always finding new ways to attack users and steal their sensitive data. You need to stay educated about new cyber attacks to recognize and avoid them. Take precautionary measures to prevent cyber attacks from successfully impacting you or your organization.

Keeper® Helps Prevent Future Data Breaches

The best way to implement cybersecurity best practices and prevent future data breaches is by using a password manager. With a password manager, you can store and protect your personal information such as your login credentials, Social Security number, passport, IDs and other sensitive data. It will help you strengthen your accounts with access to sensitive data and help you change any compromised passwords if you suffer a data breach.

Keeper Password Manager uses zero-trust and zero-knowledge encryption to protect your personal information. This ensures that only you have access to your digital vault. Sign up for a free trial to protect your sensitive information from data breaches.

Source: Keeper

A password breach is when a cybercriminal has your password and is able to use it to get into your account. Password breaches can occur due to social engineering and insider threats, but most often, weak password habits are the culprit.

Keep reading to learn more about how passwords get breached, what can happen if your passwords are breached and how to prevent password breaches from happening.

How Do Passwords Get Breached?

Passwords are the keys meant to safeguard your online accounts and the data they contain.  They should never be accessed by someone who is unauthorized to do so. Cybercriminals take advantage of individuals who reuse passwords, use weak passwords, click on phishing scams and insecurely store their passwords in order to launch their attacks.

Reusing passwords

One way passwords get breached is through password reuse. Password reuse is extremely common. In fact, 52% of people use the same password for multiple accounts because it’s easier for them to remember one password or several versions of the same password, instead of strong and unique passwords for each separate account. However, this poses a serious risk, because if a cybercriminal gets hold of that one password, they are able to access all of the accounts that you use it for. If a company that you have an account with were to be breached and your password is exposed, cybercriminals can then launch credential stuffing attacks to see if they can access multiple accounts with the same password.

Using weak passwords

Passwords also get breached because they are weak. Any password that is easy to guess or uses a small number of characters that password-cracking software can easily crack is likely to be compromised by cybercriminals. Weak passwords are those that are too short, repeat letters or numbers and use personal information like the year you were born. Avoiding weak passwords, and creating strong and unique passwords for each account, is simple with the help of an online password generator that will create them for you.

Phishing scams

Phishing scams are emails, text messages or phone calls from cybercriminals portraying themselves to be someone they’re not, like a company or family member, to get you to reveal sensitive information. A cybercriminal uses phishing scams to solicit information they can use to compromise your online accounts.

For example, a cybercriminal might send you a phishing email saying to immediately change your password because your account has been compromised. The email may even urge you to click on a link, but clicking that link could take you to a spoofed website that looks legitimate. If you enter your credentials into the spoofed website, you’re essentially handing them over to the cybercriminal.

Insecurely storing passwords

Anytime you store your passwords insecurely, like in a spreadsheet or the notes feature on your phone, you’re placing your accounts at risk of becoming compromised. Storing login credentials in an unencrypted format means cybercriminals can easily gain access to your accounts and any data stored within them.

Insecure password-sharing methods

Password sharing is meant to give others secure access to your account with your approval. However, insecure password-sharing methods like sharing through text messages and email can be easily intercepted by cybercriminals. Furthermore, if a bad actor has physical access to your device, they can see the password in plain text.

It’s important that when you choose to share your passwords, you do so with full end-to-end encryption to prevent your password from being breached. A secure password manager can facilitate this type of secure credential sharing.

What Happens if My Passwords Get Breached?

If any of your passwords get breached, it can lead to a variety of privacy and financial issues that can have serious impacts on your day-to-day life. Data stolen by a cybercriminal can be used to access other accounts, especially if you reuse passwords or variations of them. Password breaches can also lead to cybercriminals blackmailing you or stealing your identity.

Suppose a cybercriminal were to breach your email password and you did not have multi-factor authentication enabled on the account, they may be able to reset the passwords of your other accounts that use the same email address.

How To Know if Your Password Is Breached

The best way to know if your password has been breached is with a dark web monitoring tool. Keeper Security offers a free dark web scan that allows you to check if your data has been stolen and published on the dark web. The dark web is a hidden part of the internet that allows transactions and information to be shared and sold anonymously. It is notoriously used for unlawful purchases, including the selling and purchasing of stolen personal information.

How To Prevent Your Passwords From Being Breached

You can prevent your password from being breached by using a password manager, enabling Multi-Factor Authentication (MFA) and avoiding public WiFi.

Use a password manager

The best way to prevent your passwords from getting breached is by using a password manager. A password manager is a tool that helps you generate, manage and securely store your passwords. Password managers help you ensure that your passwords are always following password best practices and are never being reused across your accounts.

One way passwords get breached is by using personal information when creating a password. For example, using a pet name or the street you live on in your password makes it easy for cybercriminals to guess and gain access to your account. Of course, remembering passwords that have no significance to you can be hard, but that’s where using a password manager helps. With a password manager, the only password you’ll have to remember is your master password.

Enable MFA

Another essential step in increasing your overall online security is to enable multi-factor authentication whenever possible. MFA requires you to use one or more additional methods of authentication to log in to your accounts. Having MFA enabled keeps your confidential information safeguarded from unauthorized access. Even if your passwords were to become breached, a cybercriminal would still be unable to access your account if MFA was enabled, because they wouldn’t be able to authenticate who they are.

Avoid using public WiFi

Avoiding public WiFi can also help prevent your passwords from being breached. When using public WiFi, your data is vulnerable to being intercepted through a Man-in-the-Middle (MITM) attack. A MITM attack is when data being sent between two individuals is intercepted by a cybercriminal. Avoiding public WiFi will mitigate the risk of a MITM attack happening to you.

Stay Safe From Password Breaches

Remember to always use strong, unique passwords that are not easily guessable. To ensure you’re always using strong passwords, use a password manager like Keeper Password Manager. As the world’s most trusted password manager, Keeper can keep your passwords protected from breaches. The user-friendly interface ensures it’s as simple to use and seamless across all of your devices. Start a free 30-day trial today.

Source: Keeper

Protect your Google Workspace productivity tools with Sophos.

Organizations with distributed workforces are increasingly reliant on cloud-based productivity platforms like Microsoft 365 and Google Workspace for email, file sharing, and collaboration. Read on to learn how Sophos’ new integration with Google Workspace can help defend against advanced attacks against your business-critical productivity tools.

Detect and respond to threats targeting your Google Workspace environments

Google Workspace (formerly known as G Suite) includes some built-in security controls, but investigating, validating, and responding to threats can be challenging for under-resourced security teams.

Security teams need granular visibility across their entire IT environment to defend against active adversaries. The Sophos Extended Detection and Response (XDR) solution and the Sophos Managed Detection and Response (MDR) service leverage a connected tech approach that correlates data from a broad ecosystem of products and technologies, providing full visibility across your applications, tools and security components.

Sophos has launched a new integration that extends this ecosystem by collecting security data and telemetry from the Google Workspace productivity suite, giving Sophos MDR analysts and Sophos XDR users better visibility to detect and stop threats.

The Sophos MDR service provides 24/7 security monitoring, filters out redundant alerts, and investigates threats to your Google Workspace environment, like unauthorized Google Account access and malicious Gmail activity.

Organizations using the Sophos XDR for in-house investigation and response can also integrate Google Workspace telemetry to identify potentially malicious activity including suspicious logins, activity associated with suspended user accounts, and anomalous changes to administrator settings – combined with threat detections from other sources in a single unified view.

Available to Sophos MDR and Sophos XDR customers at no additional charge

Sophos includes a range of turnkey integrations with both Sophos and third-party technologies in Sophos MDR and Sophos XDR subscriptions. Integrations with productivity tools including Microsoft 365, and now Google Workspace, are available to all new and existing Sophos MDR and Sophos XDR customers at no additional charge.

Elevate your defenses with the new Google Workspace integration

To learn more and explore how Sophos MDR and Sophos XDR can help your organization better defend against active adversaries, including attacks that target your productivity tools, speak with a Sophos adviser or your Sophos partner.

Already a Sophos MDR or Sophos XDR customer? Activate the Google Workspace integration in your Sophos Central console today.

Source: Sophos