Solving the Challenge of Cybersecurity Employee Retention and Skills Gaps in Hospitality

Staff turnover is something that every company has to grapple with. However, when that turnover is from an already lean cybersecurity team within the hospitality or gaming industries, the impact can be drastic. Not only does it take time to find and onboard replacements, but when working with such a specialized team, where the knowledge base can be compartmentalized sometimes down to an individual, the associated skills leave the team as well.

So how can organizations address the issues surrounding cybersecurity employee retention and the related skills gap? To answer this question we will take a closer look at the causes, greater impacts, and provide actionable recommendations to shore up your teams and cybersecurity.

Combating High Levels of Security Staff Turnover

Staff turnover rates in hospitality are notoriously high. The industry has been plagued by employee retention woes for years, and these issues worsened considerably during and after the pandemic, when many other industries were able to work remotely. 

A high level of turnover within security teams brings increased cyber risks to organizations. Gaps in important skills emerge that are both time-consuming and costly to fill. These skills span both technical and strategic/leadership functions, the absence of which leaves organizations in the hospitality space more susceptible to being successfully breached. 

In 2019, hotelier Marriott International faced costs of $126 million after a significant breach of its IT systems. Marriot then suffered an additional breach in 2022 after an employee was duped into giving computer access to threat actors. 

There are steps that can be taken that increase cybersecurity employee retention rates in hospitality. Offering and incentivizing good retirement or health benefits can make a big difference. Since many employees in this industry, like cybersecurity teams at casinos, can not work from home, even smaller perks, like free food or commuter benefits, can help keep employees engaged. 

These benefits don’t always have to cost money. Cybersecurity workers in the hospitality space often feel underappreciated because they are not front and center with their customers. Making people feel recognized at work can be a pivotal way to motivate them to continue working hard for their organization. This desire to be recognized stretches from general security operations positions right up to the CISO level, and should never be underestimated. Sometimes the littlest things make the biggest difference.

Download the Cybersecurity Guide for the Hospitality Industries to get more insights and tips into securing your organization from cyber attacks.


Mandatory Encourage Cybersecurity Training and Awareness

If hospitality cybersecurity is to improve, every employee in the organization needs to buy in. By training employees on the safe and proper use of all relevant software and hardware, including point-of-sale (POS) systems and terminals, front desk computers, and property management systems (PMS), you can help lessen the workload for the cybersecurity teams and minimize the chance of human error; this not only takes some weight off a hospitality’s cybersecurity team shoulders but also shows them their is support from an organizational level, which helps with employee retention. Training should encompass common tactics such as social engineering techniques, which play a dominant role in facilitating many hospitality data breaches, and general cybersecurity awareness through regular corporate reminders, checklists, flyers around the premises, and more. 

For hospitality cybersecurity teams, offering industry- or vendor-specific training will not only help cover the skills gap, but will help employees feel there is room for growth. One study found that employees with professional development opportunities have 34% higher retention. Providing these opportunities offers another avenue to incentivize security staff to stay. 

Finding the Balance

One of the biggest difficulties in strengthening hospitality cybersecurity coverage is that threat actors don’t operate on a 9-5 schedule. While most hospitality organizations don’t follow this schedule either, the average casino, restaurant, or hotel may only have a couple of well-trained IT security personnel; this level of human resources is not sufficient to manage the sophistication and volume of modern cyber threats, not to mention cover shifts on nights, weekends or holidays. 

Complicating matters further is the infrastructural complexity of hospitality IT environments. Take cybersecurity for casinos as a poignant example. As a $44 billion-sized industry, threat actors have their eyes on a very big prize. In fact, the cybersecurity threats to casinos are so high that the FBI Cyber Crime Division issued a private industry notification in November 2021 highlighting growing ransomware risks to tribal casinos. The FBI notice followed a similar warning earlier in 2021 from the National Indian Gaming Commission that cyber attacks on tribal casinos have jumped 1000% since 2021.

Digital transformation strategies have seen huge operational shifts in casinos, with moves towards cloud computing and online gambling services. SaaS applications replace many on-premise systems while cloud file storage services offer more cost-efficient ways to store databases. However, if these aren’t setup and maintained properly, which can be a struggle given the current global cybersecurity skills gap, they could be an easy way in for a threat actor.

When a hospitality cybersecurity team relies solely on an in-house staff, there is continued risk of employee turnover. When someone leaves, filling the role is difficult enough, but onboarding and gaining company-specific knowledge takes time that hospitality businesses can’t afford. It takes a long time to glean the experience and knowledge required to truly understand the infrastructural intricacies of hospitality networks, apps, and security processes. That is why many hospitality organizations are now looking to find a cybersecurity partner, keeping their strengths in-house and outsourcing the rest. Services such as 24/7 security operations center (SOC) monitoring, detection and response can provide a huge relief to an overworked internal team. 

How Proficio Helps Mitigate The Skills Gap in Hospitality

Proficio’s range of managed security services can help casinos, restaurants, hotels and others in the hospitality industry mitigate the impacts of a continued cyber skills gap. Our global network of SOCs provides around-the-clock expert monitoring, investigating, and triaging of suspicious events. With additional services, such as automated response and Risk-Based Vulnerability Management, Proficio can help your team catch cyber threats before they damage your organization. To learn more,…

Ten Tips for Restaurant POS Cybersecurity

Point of Sale (POS) systems are a critical part of the restaurant industry infrastructure. They are used significantly on a daily basis, transporting the financial life blood of the establishments that implement them. Given the important business function these systems do, it is critical to have strong POS cybersecurity practices in place for these systems to ensure they are secure from cyberattack and keep your customers sensitive data safe. In order to maintain a strong security posture you must also understand the processes bad actors use to attack your POS system. We take a look at some common methods attackers may utilize and provide our top ten tips on shoring up your POS cybersecurity so you can keep your sensitive data secure.

The Blueprint of a POS Cyberattack

You may wonder – how easily can POS systems be attacked? POS systems are considered soft targets to attackers. While there may be security measures in place at the endpoint (ex. card readers) and at financial institutions, vulnerabilities often remain in the connection between POS workstations and organizational servers. A skilled attacker will use the line of communication between the two to gain access to the area within a network they are targeting. When they target a POS system, it typically takes place in three phases: infiltration, lateral movement, and exfiltration. Let’s take a deeper look in those these attacks occur:

Phase One: Infiltration

Often, a cyber attacker doesn’t directly target the POS system. They will instead look to get into to the organizations network and then leverage different tactics to gain access to their sensitive data hosted on the POS system. Techniques may include exploit kits via browser attacks, stolen credentials, or compromised 3rd party applications. However, most commonly, successful attacks are carried out via phishing campaigns containing a malicious attachment or link to a website that installs a backdoor onto the target’s device once clicked by the employee.

Phase Two: Lateral Movement

Once an attacker has gained access to the company network, they likely won’t have immediate access to the POS system. To reach their goal, a cyberattack on your POS, they will utilize a variety of tools to map your network and locate the systems that contain sensitive data. Attackers will search for vulnerabilities in these systems or try to gain access by obtaining user credentials. Malware is then placed within the accessed POS system and remains there, quietly gathering as much of your customer data as possible. Since attackers are looking to maximize the amount of valuable data they can capture, the infection implements stealth and persistence tactics to remain on the system and avoid detection by the most basic security measures.

Phase Three: Exfiltration

Once there is a successful cyberattack on your POS system, attackers will go to work collecting sensitive information. Data successfully scraped will then be sent to a friendly server, one that your POS system communicates with regularly, to avoid detection. The data will be stored there until the attacker is ready to transfer the data to an external system where they can freely access customer data including credit card numbers and other personal information your POS system collects. And not long after, that data will be available on the dark web…

Why POS Cyberattacks are Common

Unfortunately, in many instances, POS systems are vulnerable to attacks because they are not properly maintained or setup with security in mind. This might be due to lack of staff, or perhaps organizations don’t know how commonly POS are the target for cyberattacks; this often leads to platforms running on legacy or unpatched operating systems (OS) or using standard antivirus software that is minimally effective against bad actors. It’s easy to fall into the false sense of security that the system is running, and you can’t “see” any issues – and that’s what many cybercriminals are hoping for.

In today’s dynamic threat landscape of unknowns and zero-days, traditional antivirus alone is rarely considered enough POS cybersecurity. According to a Verizon Data Breach Report, 90% of cyberattacks on the hospitalities and restaurant industries involve POS, which is why it’s critical that organizations using POS systems take extra steps to ensure their systems are secure.

Here are our ten tips on improving cybersecurity for POS systems:

  1. Perform Regular Tests

Run vulnerability scans and testing to identify weakness in your systems. If vulnerabilities are found, be sure to implement procedures and protections to address them as it’s critical to close these back doors quickly.

  1. Update and Patch Systems

Keeping your network, systems, and applications up-to-date will ensure that you have proper protections from known threats and vulnerabilities. The longer you wait to patch or update, the more opportunity an attacker has to successfully exploit that vulnerability on your system. Prioritize vulnerabilities so you’re maximizing your efforts to keep your networks secure.

  1. Whitelist Applications

A simple, yet often missed security step, is whitelisting approved sites. By whitelisting applications on your POS,  you are ensuring that only those required to run your system safely and effectively are active. Those that are not essential to the functionality of your POS should not be whitelisted (ex. web browsers and email). This prevents attackers from exploiting these vulnerable applications which could potentially give them access to your system.

Download the Cybersecurity Guide for the Hospitality Industries to get more insights and tips into securing your organization from cyber attacks.


  1. Enable Multi-Factor Authentication (MFA)

We all know it’s best practice to use complex, phrase-based passwords. Adding another form of authentication to the user authentication process will help prevent bad actors from fully gaining access via illicitly obtained user credentials.

  1. Require End-to-End Encryption

POS systems typically include encryption for any data it is storing; however, the data will still be vulnerable while in transit. Using a payment gateway that leverages end-to-end encryption will ensure your customers data is encrypted from transaction to the gateway, closing that gap for any cyberattackers looking to grab your data in transit.

  1. Use Tokenization

Tokenization allows you to replace credit card data from the POS terminal with a token or reference number. That means that, in the event of a POS cyberattack, the only data the cybercriminals get are the token/reference numbers – and those have no value outside of your system.

  1. Ensure System Visibility

It is critical to always maintain high-level visibility of your entire POS system, including all terminals and network applications. This will allow you identify early threats or security policy violations by tracking activity and locations of perimeter devices and running network/system applications.

  1. Reach and Maintain Top to Bottom PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) has a set of requirements governing the safe handling of all credit card processing and information by merchants. Use these 12 requirements for PCI DSS compliance to guide your security practices:

  1. Use and maintenance of firewalls
  2. Configure passwords and settings (do not use vendor supplied)
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data
  5. Use and regularly update anti-virus software
  6. Update and patch systems
  7. Restrict access to cardholder data
  8. Unique IDs to each individual will computer access
  9. Restrict physical access to cardholder data
  10. Implement log management
  11. Perform vulnerability scans and penetration tests
  12. Documentation and risk assessments
  1. Employee Training

In many cases, the initial infiltration by a bad actor is through an action or inaction of a member of the staff with access to your network. A large portion of these are not malicious acts by the employee (ex. an insider threat) but due to a lack of understanding security best practices and possible shortcomings in training. Available funding to bolster cybersecurity is a challenge for some organization; however, it does not mean that you are left stripped with little defenses. Your first line of defense are your employees. Proper and ongoing training of your staff can help them identify suspicious activity such as a phishing campaign and stop an attack before it starts. Training should include using secure passwords, how to identify social engineering attacks, and other security best practices specific to your organization and its handling of sensitive customer data.

  1. Find a Partner and Robust Cybersecurity Solution

The cost and staff required to maintain a strong security posture is a challenge for many restaurants. Even when cost is not an issue, having enough security staff on hand to combat threats around the clock is not always possible. These issues can be mitigated by partnering with a security provider that can provide customized solutions to meet your individual security needs. Look for providers that can manage your security systems, monitor for threats, and provide immediate action should an event be identified. They should also be able to provide insights into best practices for your industry as well as recommendations for supplemental applications and systems.


Proficio as a Partner

Proficio offers a range of security services for a scalable and efficient way to address your security gaps in your POS cybersecurity. We can help you meet or exceed the PCI standard requirements and provide a range of services, including: Managed Firewall Service, Active Defense for automated response, and Managed Endpoint Detection and Response.


Contact Proficio to learn how we can help with your POS cybersecurity.

Five Tips for Selecting a Managed Detection and Response Service Provider

Relentless threat actors and complex technology stacks make it challenging for IT teams to keep up with the volume of cybersecurity threats – and even more difficult to respond to them rapidly. Compounding matters is the tight cybersecurity labor market characterized by too many job openings and a growing talent shortage. In this environment, security leaders are increasingly partnering with Managed Detection and Response (MDR) service providers for cost-effective 24/7 security monitoring and breach prevention. 

The growth in demand for MDR services is attracting new entrants such as commodity resellers looking to pivot to a services business model. When evaluating providers from the pool of new and established players, vendor selection can be difficult as many claim similar capabilities. While reputable analysts, like Gartner, have helped narrow the field by recognizing some of the top organizations offering MDR capabilities, here are our five key requirements to look for when selecting a Managed Detection and Response service provider:  

Rapid Response Capabilities 

Organizations must be able to effectively detect and respond to threats around-the-clock regardless of whether it is an evening, weekend or holiday. One of the main motivations behind partnering with an MDR service provider is to improve your company’s security posture with a team that can quickly respond to and contain security threats.  

While most organizations can only investigate and respond during business hours, the ability to quickly contain threats on a 24/7 basis is crucial to any organization. Automated response capabilities provide incident responders time to further investigate and remediate before there is a serious breach. While many MDR service providers claim they offer response services, not all capabilities are equal. Some providers only focus on accelerating response times for your security team through actionable guidance and recommendations, relying on a manual action to contain a threat.  

True MDRs have developed automated and/or semi-automated containment capabilities, such as isolating infected host systems or blocking IP addresses. An effective service provider will correlate high-fidelity events to detect indicators of attack as well as help you determine what actions best align with your business requirements and the type of automated remediation that will be most effective. Secondary validation plays an important role to reduce the risk of responding to false positives, especially where business critical users or operations could be affected.  

Given that the use of identity-based attacks and credential abuse are growing rapidly, and frequently at the core of ransomware and supply chain breaches, advanced response offerings should also protect users’ identities. Identity Threat Detection and Response solutions can suspend a user account when an identity-based threat is detected.  

When selecting a Managed Detection and Response service provider, make sure you know what level of response capabilities you want in a provider and find one whose capabilities extend beyond mitigation guidance into response actions. Industry leading MDR providers combine Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) to maximize protection from targeted attacks. 

Support for Cloud Environments 

Motivated by cost savings, greater flexibility, and more efficient collaboration, businesses continue to adopt and expand their cloud infrastructure. In fact, a majority of businesses planned to host or move more than 50% of their workloads in the cloud over the next 12-18 months. However, while there are many benefits of moving to the cloud, the complications of setup can be overlooked. Issues such as misconfigurations, API vulnerabilities, account compromise, and malicious insiders all pose threats to the security of your environment and your sensitive assets hosted in the cloud. 

Given that cloud infrastructure can pose a risk to organizations, how can you work with your MDR provider to secure these assets? When sourcing a suitable provider, it’s best to look at the amount of cloud support that a provider offers. One that has limited monitoring capabilities for cloud environments may leave a significant part of your IT infrastructure unprotected, unmonitored, and exposed to threats that you won’t have visibility into. In addition, some MDR service providers may be able to help guide you in best practices for proper setup and maintenance, ensuring your cloud environments aren’t being left open to cybercriminals. 

At a minimum, select a Managed Detection and Response service provider that supports the three main public cloud vendors—AWS, Azure, and Google Cloud Platform. They should not only be able to monitor these critical log sources but also have experts on their team who can provide guidance. If your organization is using virtual servers and firewalls, find a provider who can manage these and help you implement best practices, so you can ensure your cloud hosting platform of choice is set up to vendor recommended standards.  

If you host your own SIEM, using a vendor such as Splunk Cloud, seek out an MDR provider that has the capability to work with that type of system as well. They should have a team of certified experts on the platform, dedicated to helping maximize the value of your investment.  

Detection in Depth 

While tools such as Intrusion Prevention Systems (IPS), anti-virus solutions, and firewalls, strengthen your perimeter, they may not be enough to keep your networks secure from advanced cyberattacks. Many of today’s cyber threats, like ransomware, are complex, multi-phased attacks that often evade perimeter controls and can lurk undetected for a long period of time. That is why it’s essential to use a combination of narrow-band and broad-band approaches to best detect adversarial actions. This additional visibility allows providers to better detect and discover threat activity, such as ransomware pre-cursor activities. 

This use of a detection in depth approach can make valuable use of log or telemetry data from these tools to detect indicators of suspicious activity and threats that might have bypassed your systems. As a natural expansion of defense in-depth, detection in depth was evolved to emphasize multiple layers of visibility into network activity. This layered approach reduces the risks associated with dependency on a specific solution or vendor and better enables you to catch one of the many early warning signs of an attack.  

For example, today’s ransomware attacks are often complex, multi-stage attacks that attack that attempt to compromise one or more endpoint devices and install malicious software that blocks access to those devices. With multiple security monitoring tools at both the endpoint and network levels, it is easier to detect and discover the early stages of ransomware related activities, allowing you to stop cybercriminals before they get into your networks. 

When selecting a Managed Detection and Response service provider, look for one whose detection capabilities provide benefits beyond the level of preventative controls. Using machine learning models and advanced correlation analysis can power detection in depth through identifying signals of suspicious behavior, making your MDR service provider better able to spot potential threats and act quickly.  

There are various frameworks and models an MDR service provider can use to break down the typical cyber-attack into a series of several tactics, objectives, or stages. The MITRE ATT&CK matrix, for example, has 14 distinct objectives while the cyber kill chain traces out 7 attack stages. Whatever model you or the MDR service provider follows, it’s prudent to seek out a partner that goes deep with their detection capabilities across all phases of cyberattacks rather than being limited to the surface level controls.  

Investment in Threat Hunting  

Your MDR service provider should have a threat hunting team that takes a proactive approach to search through your network, data, and systems to unearth hidden threats and adversaries lurking in your environment. These threats may have gone undetected by existing tools or use cases, but with the help of a dedicated threat hunting team, the risk of a data breach can be minimized. 

Global MDR service providers can add more value from threat hunting by applying their findings from one client’s network to improve threat hunting efforts for other clients. Machine learning models that identify anomalies and score them based on how unusual they are in the context of baseline behavior should be part of your MDR provider’s  threat hunting tool chain. Many MDRs have some senior advisors that can play an important role by digging through client logs, dashboards, and visualizations to hunt for threats.  

Clear Communication and Visibility 

When evaluating an MDR service provider, it’s critical that you set expectations for how you would like to be able to communicate with your partner. Some MDR service providers might have limitations on communication hours or specific mediums that might not work well for your business. Given that an attack can happen at any time, you should look for a team of SOC analysts who not only monitor your environment around-the-clock but also one you can access when you need additional help. It is also beneficial to have multiple communication options, such as phone, web portal and email.  

Select a Managed Detection and Response service provider that goes the extra mile by displaying real-time data, dashboards, and other valuable security information. Some MDR providers can improve your security posture by identifying gaps in controls that can be exploited by attackers. Executives can use this data to demonstrate team improvement over time or justify spending for additional headcount or tools.  

Proficio’s MDR services provide your business with around-the-clock security monitoring, advanced threat detection, investigations, and automated response capabilities. You can learn more about our Managed Detection and Response or find out what Gartner recommends you ask MDR providers and Proficio’s answers. 

Why Gartner is Urging Organizations to Protect Against Identity Threats and Credential Abuse

With the growing support for a hybrid work environment and continued migration to cloud applications, Gartner is predicting an increased trend in identity-based attacks and credential abuse. Today’s cybercriminals are looking for ways to steal credentials, escalate privileges, and move laterally across an organization’s infrastructure. Given that identity compromises are present in most ransomware and supply chain attacks, identity-based attacks have become one of the top cybersecurity threats facing organizations today. That is why Gartner has declared “identity is the new perimeter” and recommends organizations invest in protecting against identity attacks or specifically Identity Threat Detection and Response solutions. 

The Password Paradigm Shift 

For many years, organizations could get by setting up strict password requirements for their users. Password best practices included using long, complex passwords and different passwords for different accounts.  

Today, there are billions of hacked login credentials are available on the dark web and cybercriminals can easily buy credentials – $150 for 400M username and password pairs. Research on password etiquette shows that 59% of people used the same password for multiple accounts and 47% of people used the same passwords at work as they do at home. With all this password duplication, it greatly increases the risk of attackers gaining access to corporate systems using a combination of corporate email and stolen passwords.   

Adding to the challenge of protecting against identity threats is the growth in SaaS applications used by businesses; this requires the number of account credentials to grow significantly and as result, employees are more likely to use passwords that can be easily guessed if they’re not just reusing the same passwords across multiple accounts. With hackers using brute force attacks and automated password cracking tools to guess combinations of usernames and passwords, password management for internal IT teams is an uphill battle. 

Finding Better Protections 

To better protect user accounts from identity attacks, organizations are implementing Multifactor Authentication (MFA). MFA requires multiple steps to verify users’ identities before accounts can be accessed. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Two-factor authentication for smartphones, one of the more common applications of MFA, typically involves something you know and something you have. For example, a user PIN followed by proof of possession of the device registered with the user account. Each MFA method has strengths and weaknesses, and the choice of implementation is often a trade-off between security and usability.  

A Google research study found the success rate of MFA using an SMS code sent to a phone number helped block 100% of automated attempts by hackers to gain access, along with 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks. 

MFA enables easier ways to access accounts, such as Single Sign-On. For example, if a user logs into Microsoft 365 using MFA, they will be able to log in to all other accounts using those credentials, as their identity will have already been verified. Alongside streamlining the login process for users, MFA also saves time for IT admins and helps address compliance mandates that require strong authentication processes before employees can gain access to data. 

MFA is an Improvement, Not a Panacea 

While strong identity authentication protections, like MFA, are effective, not all organizations use these tools to protect against identity attacks. For example, a recent survey by Microsoft showed that 78% of their customers using Azure AD only use passwords without protections like MFA. Reasons why organizations do not implement authentication protections include cost, user experience, scalability, and availability of solutions for legacy applications.  

Cybercriminals are targeting larger organizations, using more sophisticated penetration techniques, and demanding bigger ransoms from successful ransomware attacks. The theft and abuse of credentials plays an important role in ransomware attacks where Microsoft’s Remote Desktop Protocol (RDP) is an attack vector, giving organizations more reasons to better protect their user accounts. 

However, even for organizations using MFA, hackers have shown they have multiple techniques that can be used to bypass this such as disabling MFA policies, attacking legacy applications that do not support MFA, using stolen private keys to sign certificates, installing a malicious app that authenticates while still controlled by the attacker, and more.  

Enter Identity Threat Detection and Response 

Identity Threat Detection and Response (ITDR), as coined by Gartner, is used to describe the collection of tools and best practices to successfully defend identity systems from endemic levels of attacks.  

A new approach is needed as other tools like, User and Entity Behavior Analytics (UEBA), have fallen short of expectations due to challenges with false positives and the lack of automated response capabilities.  

Gartner has underscored the importance of preventing compromises to protect against identity attacks. While MFA prevention tools exist, they can and will be bypassed. Organizations need to deploy more advanced threat detection tools. Threat detection is critical but not sufficient. Rapid and effective response actions are mandatory. 

Traditional approaches to security monitoring with manual incident response are often too slow to react to attacks and compromises. In addition, it can take hours to create a ticket requesting suspension of a user account increasing the risk of a data breach in the meantime. The appropriate response may vary depending on the type of account. For example, an investigation is often needed before suspending an executive user account. 

The implementation of an ITDR tools is also an important consideration as some require sensors or agents which are complicated to integrate and maintain. 

Proficio’s Solution 

Proficio’s ProSOC Identity Threat Detection and Response service detects threats to Identity and Access Management (IAM) platforms to enable a faster response to contain attacks and compromises. It is designed to work with multiple IAM platforms and leverages advanced technology combined with human-led investigations to detect threats to an organization’s IAM infrastructure. Alerts are prioritized using use case analytics, correlation rules, machine learning, and threat intelligence data.  

For better protection against identity attacks, Proficio’s automated response solution, Active Defense, can take immediate action when a high-fidelity threat is detected, quickly suspending a user account for one or more applications. While many organizations can only investigate and respond during business hours, Active Defense allows you to quickly contain identity threats providing incident responders time to further investigate before there is a serious breach. Our security advisors work with our clients to baseline event thresholds and determine how to orchestrate response actions most effectively. When an Active Defense use case is triggered, our solution can initiate an immediate account suspension or enable an incident responder to do this with a single click in alignment with your business requirements and the type of user account that is being targeted. Active Defense supports both automated and semi-automated functions, allowing incident responders to perform a double validation of a threat before initiating an account suspension through a single click in our ServiceNow portal. 


To find out more about Proficio’s solution view our webinar

Takeaways From Notable Law Firm Data Breaches

Law firms collect sensitive and privileged data, making them prime targets for cyberattacks. Unfortunately, some of these attacks succeed and the news of a law firm data breach becomes part of the public domain.

This is why law firms need a strong cybersecurity posture to defend against modern threats. This blog discusses specific threats, what happens when law firms get attacked, and what are some best cybersecurity practices.

Why is the Legal Sector Targeted?

The global market for legal services is expected to surpass one trillion dollars by 2025. Cybercriminals like industries where the impact on the reputation of the target is disproportionately high, as there’s more likelihood the victim will pay a ransom.

Aside from the fact that legal firms typically store details about trade secrets, intellectual property, mergers, and other lucrative information on their computer systems, threat actors perceive these organizations as unlikely to prioritize cybersecurity. A 2021 survey of law firms reinforced this perception when it found that just 36% of respondents had a formal incident response policy for cybersecurity events.

Looking at some of the most high-profile law firm data breaches underscores just how persistent cyber threats are to the legal industry.

Campbell Conroy & O’Neil

Campbell Conroy & O’Neil, a large law firm practicing across 11 different locations in the United States, clients included Ford, Honda, and Boeing. In February 2021, malicious actors infiltrated Campbell Conroy & O’Neil’s IT network and installed ransomware, which prevented access to important files.

A data privacy incident disclosure released by the firm indicated that sensitive information about individuals was compromised, including financial account information, Social Security numbers, passport numbers, and payment card information. The firm offered affected individuals 24 free months of credit monitoring, fraud consultation, and identity theft restoration services.

Grubman Shire Meiselas & Sacks

With a client portfolio that includes musicians such as Lady Gaga, Madonna, and Drake, Grubman Shire Meiselas & Sacks (GSMS) is another law firm that boasts a high profile reputation. The company, which serves media and entertainment clients, had 756 gigabytes of private documents and correspondence exfiltrated from its network in May 2020 during a ransomware attack.

The threat actors behind the attack on GSMS were part of the notorious REvil gang. Before their eventual arrest in 2022, REvil members racked up a considerable list of ransomware victims. REvil demanded a $42 million ransom from GSMS. After an initial $21 million demand went unmet, REvil members posted 2 gigabytes of stolen data about GSMS’ clients on the dark web to further incentivize payment.

Jones Day

First founded in Cleveland over hundred years ago, Jones Day is the fifth-largest law firm in the US and one of the top 15 highest-grossing in the world.

The Jones Day attack resulted from a software supply chain vulnerability in the Accellion file transfer system that impacted a total of 100 organizations. Supply chain attacks often have far-reaching, downstream consequences that impact hundreds of companies and potentially millions of people from a single vulnerability.

Common Attack Vectors Leading to Law Firm Data Breaches

While the cyberthreat landscape is ever-changing, there are some clear trends in the attacks that lead to big law firm data breaches. Here are some of the main methods, attack vectors, and tactics that hackers deploy to target businesses in the legal sector:


Ransomware attacks use encrypted systems and/or stolen, exfiltrated data as leverage to extort large payments from law firms. Industry sources indicate that smaller law firms are increasingly impacted by ransomware. The threat of ransomware is not going away despite several high-profile recent arrests targeting ransomware gangs.

Ransomware can bring significant costs to a law firm after a data breach, not just from the damage done to encrypted systems, but also from regulatory penalties due to inadequate protection of sensitive client data. In March 2022, UK criminal defense firm Tuckers Solicitors received a £98,000 fine in the wake of a ransomware attack that compromised sensitive criminal court information.

To address the risk of ransomware attacks, law firms should securely backup systems and data, deploy advanced endpoint and email security, monitor threats on a 24/7 basis, and implement multi-factor authentication.


Phishing campaigns are becoming more common for law firms as hackers improve their skills in crafting convincing emails that persuade law firm employees or their clients to unknowingly take dangerous actions, such as clicking a malicious link, revealing private information, or installing malware. Phishing has morphed in recent years to not just target email but also smishing (text messages) and vishing (phone calls).

Threat actors often hit law firms with more targeted spear-phishing campaigns in which they either target or impersonate a very specific individual within that company. In one recent instance, a new Finance Manager at a law firm transferred £60,000 to an individual impersonating a trusted supplier.

Attacks Against Remote Workers

With hybrid work policies becoming a mainstay of how many law firms operate, many cyberattacks try to exploit potential security gaps in remote work technology. One example is trying to compromise or brute force entry into remote desktop protocol (RDP) connections from which law firm employees log in and work remotely.

A successful compromise of an RDP account can give threat actors the keys to a corporate network. Hackers can also try to get into a law firm’s network through VPN accounts, unsecured public Wi-Fi connections, and even through IoT devices.

Software Vulnerabilities

Cybercriminals will try to exploit security vulnerabilities in software used by law firms, such as general IT software or specialized legal software. Jones Day was a prime example of the impact of this type of attack. Australian firm Allens was another legal sector victim from the Accellion fallout.

Hackers can also exploit vulnerabilities in third party libraries and other components that provide functionality to applications. These so-called software supply chain attacks can simultaneously affect thousands of businesses. The recent Apache Log4j vulnerability was a software supply chain attack.

Cybersecurity Best Practices for Law Firms

Many law firms lack the IT resources to make security a priority and might feel intimidated by the prospect of strengthening their cybersecurity practices in light of today’s high-volume, sophisticated threat landscape. But becoming more secure doesn’t have to break the budget by hiring dozens of expert security specialists. Quite often, even the most high-profile breaches stem from entirely preventable security errors and could have been mitigated by following some basic best practices.

Here are some recommendations to improve your law firm’s cybersecurity and prevent your organization from being the next law firm data breach.

Draft a Security Policy

Even in 2022, 17% of respondents surveyed report their law firm does not have any security policies and another 8% do not know about their law firm’s security policies. This is a basic requirement that any legal firm should have in place regardless of its size. Draft a security policy that at a minimum covers BYOD, emails, data retention, and an incident response plan, if you were to be attacked.

Prioritize Patch Management

Incidents like the zero-day Accellion supply chain breach are difficult to do anything about because a zero-day software breach, by definition, hasn’t yet been patched with a security update. Still, patch management often is low on the priority list in terms of security prioritization – and this shouldn’t be the case. There are many vulnerability management solutions available to firms’ needing assistance in prioritizing.

The attack on GSMS highlighted pervasive patch management issues in the legal sector when a post-mortem of the incident revealed it all started with hackers exploiting unpatched Pulse Secure VPN servers. A patch for these servers was available for at least four months prior to the breach.

Protect your Endpoints

With cyberattacks often originating on endpoint devices, such as laptops and workstations, it’s imperative to step up endpoint security. Ideally, you should seek out a solution that effectively detects suspicious processes and behaviors on endpoints, such as using a comprehensive Endpoint Detection and Response (EDR) solution.

Secure Account Logins with Multifactor Authentication (MFA)

Passwords are no longer strong enough to secure access to employee accounts. New York City’s law department knows this all too well⁠—a 2021 incident saw hackers using an employee’s stolen password to infiltrate the department’s network. A recent Microsoft survey of their customers using Azure AD, showed 78% are still only using passwords without other strong identity authentication protections. It is critical to implement multifactor authentication (MFA) for access to key IT services, including Microsoft 365, remote desktop protocol, VPNs, cloud services, and even workstation logins.

Cloud Security

Law firms are increasingly using the cloud to store data and relying on cloud-based applications to operate their practices. Since cloud platform providers, like AWS, only take responsibility for securing their cloud platform, law firms must implement best practices for securing their data in the cloud by monitoring logs, scanning for vulnerabilities, and implementing other security controls to ensure unauthorized users cannot gain access to sensitive documents.

Identity Management

Law firms must prevent unauthorized access to sensitive data or core systems. Steps to reduce the risk of credential theft include using strong, unique passwords, multi-factor authentication, and fine-grained access controls that allow administrators to set employee permissions based on their roles and responsibilities. Monitor for high rates of authentication failures on service accounts for Windows. 

Continuous Monitoring for Compliance Issues

A host of diverse regulations aim to protect different types of sensitive data stored by law firms about their clients. For protected health information, there’s HIPAA, the CCPA protects data privacy for Californian residents, the GDPR protects data belonging to EU citizens and residents. Noncompliance with any regulation risks costly penalties, and it’s critical to meet all forms of regulatory oversight that apply to your firm.

Simple steps, such as continuous monitoring enables you to rapidly detect compliance risks before they become serious security issues and log analysis and reporting enables better visibility. If this is something your firm is unable to do in-house, there are options to outsource to cybersecurity specialists, such as a Managed Detection and Response provider.

Improve Incident Response

When a security threat is detected, law firms must respond quickly to reduce the risk of a security breach. However, many law firms do not have the resources to respond to high priority alerts on a 24/7 basis and sometimes internal processes can slow up response actions. By instantly blocking an attack or containing a threat, automated response solutions provide time for investigation and remediation before a law firm’s security is compromised.

A dedicated incident response plan is critical for any law firm that suffers a data breach, as it addresses what happens once hackers get past your perimeter security controls.

The incident response plan establishes processes for detecting, containing, investigating, and recovering from security incidents that have already infiltrated your environment. It’s highly recommended to include ransomware preparedness as part of this plan with a clearly defined set of steps to take if your firm’s network gets hit by a ransomware attack (ex. should you pay?).

Without any semblance of a plan in place, cybersecurity incidents easily lead to panicked decisions that make the problem worse. While incident response plans and functions can be challenging to put in place, the cost of a data breach at a law firm makes the effort worthwhile.

Closing Thoughts

Downtime, loss of billable hours, and repetitional harm are outcomes that no company wants to face, but they are entirely within the realms of possibility from any law firm data breach. However, following some simple best practices will help your firm get on the right track. For those struggling to get the resources in-house, looking to partner with a security provider offers an affordable, scalable, and efficient way to address security gaps for law firms of all sizes.

To find out how Proficio can help your law firm improve its cybersecurity defenses, contact us.

Increased Cybersecurity Risks from Russian Cyber Attacks Resulting From the Russia Ukraine Conflict

A barrage of sanctions from the U.S. and E.U. continues to rain down on Russia following Vladimir Putin’s decision to invade Ukraine. The damage inflicted by these sanctions poses concerns about possible retaliation measures against Western nations.

Given Russia’s significant capabilities and history of cybercrime, it appears likely that Russian cyber attacks, particularly against critical public sector infrastructure, may be on the agenda. These attacks have already begun against Ukraine and very likely will turn to the Western nations next.

Let’s take a look at some plausible risks, scenarios, and targets if Russia decides to turn to cyber attacks against Western nations during the ongoing conflict, so you can stay protected.

Russian Cyber Attacks Preceding the Physical Invasion of Ukraine

Before the Russian military stepped over the physical borders of Ukraine, there was an escalation in cyber attacks carried out by the country’s extensive cyber units, as their banks and government websites were targeted with data-wiping malware and DDoS attacks. These actions confirmed that cybercrime is a central component of modern hybrid warfare.

According to the United States Congressional Research Service, Russia has a history of deploying cyber crime during wartime. During its 2008 war with Georgia, a large-scale DDoS attack crippled electronic communications at several government and financial institutions.

The escalation in cyber warfare is a continuation of attacks on Ukraine stretching back to Russia’s annexation of Crimea in 2014. A quick recap of some of these incidents serves as a reminder of what type of attacks Russia’s cyber units engage in during war times and the damage they can cause:

  • In December 2015, a complex, multi-phase attack took down Ukraine’s power grid leaving over 230,000 consumers without power.
  • A year later in December 2016, websites and payment systems belonging to the Ukrainian Ministry of Finance and State Treasury were taken offline by Russian malware.
  • In June 2017, Russia targeted Ukraine with a variant of the Petya ransomware (NotPetya), which hit Ukrainian ministries and banks, and even took down a radiation monitoring system at the Chernobyl nuclear plant.

Russian Cyber Attacks on Western Nations

While the attacks against Ukraine are proof of Russia’s cyber power, what conclusions can we draw about Russian cyber attacks on Western nations? Pertinent examples from in recent years help us to predict who Russia might target in the West, possible tactics they may use, and what the consequences could be.

  • Russian cyber unit Fancy Bear was implicated in the July 2016 hacking of the Democratic National Committee. Using tactics such as spear-phishing emails, keylogging software, and privilege escalation, the hack resulted in an email leak that stoked divisions in the Democratic party. The attack was seen as a Russian effort to weaponize information and interfere in the US Presidential election.
  • The NotPetya malware that hit Ukraine in 2017 spread to organizations in several Western nations, including Great Britain, France, Germany, and the United States. Maersk, the world’s largest container ship operator, suffered $300 million in damages from NotPetya. FedEx suffered similar costs to Maersk as a result of its subsidiary TNT Express being impacted by the ransomware strain.
  • The SolarWinds data breach is the most infamous recent example of Russian cybercrime against a Western nation. In this supply chain attack, Russian threat actors managed to modify software updates for Orion, a SolarWinds network monitoring software used by the U.S. federal government. Malicious Orion updates installed on federal IT systems gave Russian threat actors undetected access to those systems for up to nine months.

Federal Government Warnings and Advisories

The recent history of Russian cyber warfare clearly paints a worrying picture for Western nations. A diverse range of past attacks impacted critical public services and infrastructure, , especially and as new sanctions get imposed daily, Russian cybercriminals could easily look for new targets. The possibilities include:

  • Russian threat actors deploying similar attacks on Western nations to those that hit Ukrainian banks and government websites.
  • Cyber incidents spreading from Ukrainian businesses to organizations in other countries due to globally interconnected networks.
  • Standalone attacks on carried out as a direct response to ongoing Western sanctions damaging the Russian economy.

The highest levels of Western government assess the cyber risk landscape as an increasingly dangerous one if recent advisories and publications are anything to go by. The UK’s National Cyber Security Centre called on organizations to bolster their cybersecurity defenses in light of heightened cyber threats following Russia’s invasion of Ukraine. Recommended actions include patching systems, verifying access controls, and ensuring proper incident detection and response.

In the US, CISA director Jen Easterly indicated the agency was, “working with our federal partners, our state and local partners, and our industry partners to make sure that they’re aware of the potential threats of a potential cybersecurity crisis.” The FBI Cyber Division’s David Ring reportedly echoed similar sentiments during a call when he asked state and local leaders and business executives to think about how the provision of critical services could be disrupted by ransomware.

Meanwhile, in an address to the nation on February 24, 2022, President Joe Biden claimed that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond.”

These warnings, comments, and advisories show that there is a clear perception of increased cyber risk. The public sector and operators of critical infrastructure appear to be particularly vulnerable targets, so those operating in these sectors should continue to be on high alert.

Potential Upcoming Russian Cyber Attack Campaigns

It’s unclear how likely a Russian cyber attack on a Western nation is right now. The past actions of Russian cyber units indicate anything is possible. What is clear is that countries such as the United States and the United Kingdom are taking steps to prepare. Here are some potential upcoming Russian cybercrime campaigns to watch out for:

  • Targeting critical infrastructure: Statements from government officials in recent weeks have persistently referred to critical infrastructure. Cyber attacks on industrial control systems or even healthcare organizations pose threats to health and safety in addition to the monetary costs involved.
  • Data leaks: Russia has shown its willingness in the past to use information as a weapon. Threat actors lurking undetected in federal or other public sector networks may decide to leak confidential information in an attempt to sow discord. Spear phishing campaigns on public sector employees may provide new entry points into public sector IT networks.
  • Supply chain attacks: Russian cyber units may use existing footholds in software supply chains to initiate an attack that mimics SolarWinds and leads to widespread data breaches of government data.

While the risk of attack in the current environment may be high, there are steps you can take to be better prepared and stay protected against potential threats. We recommended you prioritize the following (in this order):

  • Patch / remediate any critical internet facing vulnerabilities that could be leveraged by an attacker to gain a foothold within the environment
  • Make sure that all endpoints have up-to-date endpoint protection, preferably an up-to-date EDR agent installed on all systems
  • Patch internal vulnerabilities that are commonly used by attackers to compromise an endpoint.
  • Geo-block Russian IP address ranges on the NGFW if you do not do business with this region

Closing Thoughts

If and when Russia decides to strike back against the West using its cyber attack arsenal, public and private sector organizations face the challenge of detecting potential cyber attacks quickly and responding before they spread and do serious damage. While proper cyber hygiene is a great start, you need around the clock monitoring to ensure you’re catching attacks before they cause damage.

Proficio’s managed detection and response service provides 24/7 investigation and incident remediation capabilities to help organizations manage threats and reduce businesses in this potentially dangerous new cybersecurity landscape. To better protect our clients in these uncertain times, Proficio is deploying additional, targeted monitoring solutions to detect and respond to these attacks. To learn more about how Proficio can help keep your organization secure, contact us.

7 Major Cyber Attacks in 2021 and Lessons Learned to Strengthen Your Defenses in 2022

Cyber attackers continued to successfully target organizations in all sectors and of all sizes during 2021. The biggest cyber attacks in 2021 resulted in damaging financial, reputational, and even societal consequences. Security leaders and teams should use the lessons learned from high-profile attacks to improve their organization’s security posture. Let’s look at 7 major cyber attacks in 2021 and the key lessons to learn from them.

The 2021 Cyber Attack Landscape

Threat actors continued to take advantage of additional security vulnerabilities created by the rapid pandemic-induced change to remote work. When remote work was a factor in data breaches during 2021, one study found the cost per breach increased by $1 million per incident.

37-Percent-Ransomware-2021-Cyber-AttacksRansomware remains one of the most significant cybersecurity threats with targets ranging from critical infrastructure to large enterprises to police departments. According to one report, 37 percent of organizations surveyed were hit by ransomware attacks in 2021.

Ransomware gangs now regularly use double extortion techniques. Not content with just encrypting important files or endpoints, in double extortion attacks, adversaries exfiltrate sensitive data before delivering ransomware payloads. The added incentive to pay the ransom comes from the threat of sensitive data being published on the Dark Web.

Another worrying trend in several 2021 cyber attacks was a focus on disrupting or infiltrating supply chains. Malicious actors target supply chains because they know that the downstream effects can hit multiple organizations or even result in supply shortages of critical goods and services.

2021 Cyber Attacks That Shook the World

Bearing this landscape in mind, here is a run-through of seven high-profile incidents that made global media headlines.

1. Colonial Pipeline

The Colonial Pipeline 2021 cyber attack concerned the information security community, consumers, and government agencies. Colonial Pipeline transports diesel, jet fuel, and gasoline across a 5,500-mile journey starting in Houston and terminating in New York. In May 2021, an Eastern European ransomware group known as DarkSide managed to infiltrate Colonial Pipeline’s billing system.


Fearing an eventual lateral movement traversing the boundary between IT and operational technology (OT), the company halted all pipeline operations to contain the attack. The operational disruption lasted five days while Colonial Pipeline responded to the incident.

Part of the response involved paying a $4.4 million ransom to the ransomware gang. The FBI managed to recover a portion of this ransom in the aftermath. The concern around this breach was elevated by media images of panicked motorists queueing to stock up on gasoline because they feared an extended fuel shortage.

Subsequent investigations into the cyber attack on Colonial Pipeline found that the initial attack vector was a stolen password used to log in to a legacy VPN. The threat actors likely found the stolen password in a Dark Web leak list from a previous data breach. The Colonial Pipeline’s CEO, Joseph Blount, had to testify in front of the Senate Homeland Security and Governmental Affairs Committee about how the company handled this attack.

Lessons Learned:

  • Multifactor authentication is critical: In his testimony, Mr. Blount said that the hacked VPN account only had single-factor authentication. In today’s threat landscape, depending on passwords alone to secure access to accounts is very risky.
  • Poor password hygiene is still common: hackers used stolen credentials to log in to a VPN account. Aside from highlighting the vulnerabilities in relying on passwords, this attack shows how poor password hygiene, such as using passwords across multiple services and apps, remains commonplace. Better cyber awareness and training can combat this issue.
  • 24/7 monitoring is key: detecting events like suspicious use of VPNs, credential abuse, and policy violations around the use of remote access applications helps prevent compromises.

2. Accellion

Accellion provides file sharing and team collaboration tools to organizations that are reported to include Morgan Stanley, Shell Oil Company, Kroger, Health Net, Stanford University, and many others. In December 2020 and January 2021, one of the company’s legacy tools, Accellion File Transfer Appliance (FTA), became compromised with multiple zero-day vulnerabilities exploited by UNC2546 and UNC258, two threat actors with links to the Clop and Fin11 ransomware gangs.

In healthcare alone, over 11 organizations were impacted by this supply chain attack. A zero-day attack is particularly challenging because it exploits previously unknown vulnerabilities for which no fix yet exists.

Lessons Learned:

  • The importance of vulnerability management and patching: Speed is critical in patching zero-day vulnerabilities with known exploits. Risk-based Vulnerability Management tools and services can help organizations prioritize patch assets based on priority and context.
  • The need for data exfiltration protection: In addition to double-extortion ransomware attacks, this supply chain attack demonstrated that threat actors see data exfiltration as the ultimate prize. It is important for organizations to detect precursors of data exfiltration and behavior anomalies and automate containment actions to prevent loss of data.

3. JBS

JBS is the world’s largest meat processor with reported annual sales of $50 billion and over 230,000 employees.

On Sunday, May 30, JBS USA discovered it was the victim of a ransomware attack that affected some of the servers supporting its U.S., Australian and Canadian IT systems. The company suspended all affected systems, then contacted law enforcement.

JBS Cyber Attack Ransomware

Assistance from the FBI helped to confirm that the prolific REvil ransomware operation was responsible for the JBS meat cyber attack. In a statement made to the media, JBS announced the payment of an $11 million ransom to REvil in an attempt to mitigate the risk of sensitive stolen data being published online.

Since the attack did not affect JBS’ backup data or core systems the company was able to recover from the attack in a few days with minimal disruption to the supply chain. JBS issued press releases on May 30, June 1, June 2, and June 3 to keep customers and the public apprised of the status of the incident.

Lessons Learned:

  • Backup strategies still work: Some security commentators argue that backup strategies are redundant in a world where data exfiltration is the main goal of malicious actors. However, the ability to restore normal operations quickly after a cyber attack is imperative, particularly in critical industries such as meat processing upon which much of the world depends for survival. Just backing up systems and data is not sufficient. You also must take steps to protect your backup files from attempts to delete them.
  • Early detection and response: More detailed investigations into the JBS attack found that data exfiltration began after leaked credentials were exploited as far back as February 2021. Early detection and response could have played a crucial role in thwarting attackers while they were in the network. Perimeter-focused controls are no longer sufficient for defending against attacks; security teams lacking internal resources can turn to managed detection and response.
  • Incident Response Plan: Having a written Incident Response (IR) plan and routinely practicing the process makes a difference. JBS effectively engaged the appropriate government entities and third-party consultants who assisted with the forensic and mediation work.

4: Brenntag

In April of 2021, Brenntag, a German chemical distribution company, became yet another victim of DarkSide ransomware. Brenntag employs more than 17,000 people worldwide, and the company reported over $14 billion of revenue in 2019.

Ransomware PaymentIn yet another double extortion attack, DarkSide managed to exfiltrate 150 gigabytes of data from the North American division of Brenntag’s network. After data exfiltration, the Brenntag ransomware payload encrypted multiple devices and files on the company’s network using the Salsa20 file encryption algorithm.

The immediate response to the Brenntag ransomware attack focused on containing the threat by disconnecting affected systems from the network. The company also paid a $4.4 million ransom in return for both a decryption key and not having sensitive data belonging to 6,700 individuals published online. The sensitive data included birthdates, Social Security Numbers, driver’s license numbers, and health data.


Credential theft appeared to play a prominent role in this attack. A ransom note seen by security researchers at Bleeping Computer alluded to the fact that threat actors “bought access to the network”.

Lessons Learned:

  • Stolen credentials are a big problem: Initial network access via stolen credentials was a common theme in several 2021 cyber attacks. Mitigation requires a multi-pronged approach that includes multi-factor authentication, ongoing cyber education, and regularly mandating password changes.
  • The paradox of cyber attacks: Threat actors often deploy sophisticated tools and techniques to evade detection once inside networks, however, the methods they use to gain initial access often exploit incredibly basic cybersecurity flaws.

5: Volkswagen and Audi

VW Audi logos

Volkswagen has consistently been one of the top-selling automotive brands. In June 2021, details emerged of a significant data breach both at Volkswagen and Audi, one of the Volkswagen Group’s luxury line of vehicles. The breach exposed information belonging to 3 million customers.

For the majority of customers, the leaked details were basic and non-sensitive. However, at least 90,000 people were contacted about sensitive data exposure, including driver’s license numbers, Social Security numbers, and dates of birth.

A spokesperson indicated the Volkswagen data breach stemmed from a compromise at a third-party vendor used by the company. Vice magazine reported that a hacker obtained the data by scanning the Internet for unsecured Microsoft Azure Blobs, which are used to store unstructured data in the cloud.

Lessons Learned:

  • Third-party risks: Volkswagen trusted another vendor with its valuable customer data, but that same vendor failed to implement such a basic practice as securing all data stored in the cloud. Third-party risk management is crucial to avoid breaches like this one.
  • The need for data visibility: You cannot protect sensitive data when you do not know where it is stored or how it is secured. Comprehensive data visibility may have mitigated the possibility of this Volkswagen data breach from happening.

6: HSE Ireland

The Health Service Executive runs Ireland’s public health system. Over 67,000 direct employees help to maintain the health of Ireland’s populace. Several severe Covid-19 outbreaks stressed Ireland’s health system in 2021, and a ransomware attack in May came at the most unwelcome of times.

The installation of a ransomware payload by Conti threat actors completed a two-month operation that severely impacted the HSE’s IT infrastructure. The immediate aftermath of the HSE cyber attack resulted in healthcare professionals losing access to IT systems, including patient information systems, clinical care systems, and laboratory systems.

Equally as severe as this disruption to important health services was the exfiltration of sensitive healthcare data belonging to 1,000 patients. During negotiations about a ransom, Conti gang members began leaking patient data for up to 520 individuals on the Dark Web.

A detailed incident report found that the HSE cyber attack started in March 2021 when an employee clicked and opened a malicious Excel attachment. This attachment provided remote access to the HSE’s IT environment. Threat actors used Cobalt Strike, a penetration testing tool, to escalate their privileges on the originally compromised workstation.

Lessons Learned:

  • The need for threat intelligence: Robust threat intelligence and discovery helps detect tools like Cobalt Strike and stop similar incidents in their tracks.
  • The danger of phishing: Phishing emails with malicious attachments provide low-hanging fruit for adversaries to infiltrate your network. Robust email security software and employee training reduce the risk of malicious attachments or users being enticed to visit infected websites.

7: CNA Financial

Last but not least in our overview of 7 of the major 2021 cyber attacks is an attack that resulted in one of the largest ransom payments. CNA Financial, one of the biggest insurance companies in the United States, was hit by a March 2021 ransomware attack that encrypted up to 15,000 systems. The threat actors used a ransomware strain known as Phoenix CryptoLocker.


The attack began when an employee downloaded a fake browser update from a genuine website onto his/her workstation. Additional malicious activity helped to elevate privileges from the workstation to get network-wide administrative access. The final ransomware payload took down so much of the company’s IT infrastructure that executives felt they had no other option but to pay for the decryption key. The $40 million CNA Financial ransom payment set a record at the time that remains today.

  • The value of detection and response capabilities: With seemingly no functioning backup strategy in place to restore encrypted devices and files, this incident underscores the value of detection and response capabilities. By emphasizing defense-in-depth, businesses can detect and respond to cyber attacks much faster and limit their effects.
  • Some companies still pay: Despite government admonitions against paying ransom demands, several large companies paid substantial sums to hackers in 2021; none were more substantial than the $40 million that was the CNA Financial ransom. It is recommended that IT leadership prepares for this possibility by discussing options with management and their cyber insurance provider.

2021 Cyber Attacks Conclusion

There are many lessons to take forward from this list of seven major cyber attacks in 2021. Basic security flaws can provide hackers with an easy route into networks; even those belonging to the largest enterprises with the highest security investments. Despite the ease of initial entry, a common thread here is that detection and response capabilities are critical to detecting and preventing breaches.

Businesses stand to gain a far more robust security posture by investing in managed detection and response (MDR). Ready-made expertise in threat intelligence, detection, and response awaits businesses that allocate some of their security budget to MDR services.

Contact Proficio today to see how our leading MDR solution helps businesses like yours defend against cyber threats.

Best Practices for Endpoint Security

In today’s highly technical world, endpoint devices are everywhere. Endpoint devices, such as employee workstations, laptops, tablets, and smartphones, connect to and communicate with an organization’s network. Because they are intertwined within an organization, it often only takes successfully exploiting one endpoint for threat actors to carve a path through an organization’s network to cause harm.

Studies show that 61 percent of businesses have 1,000 or more endpoints users on their networks. They are a critical part of daily business and are also targets to a wide range of cyberthreats, which is why endpoint security should be a priority for all organizations.

As often is with cybersecurity, the best defense of endpoints is a good offense. But where do you start? We’ve put together a guide for endpoint security best practices so you can better prepare your organization.

Why Prioritize Endpoint Security?

If you think of endpoints as entryways into your network, it’s clear that securing every endpoint against malicious actors is important or you could be leaving the back – or even front – door open to cybercriminals.

For those organizations offering flexible work options, the increase in mobile working and remote employees introduces greater security risks to endpoints. As users connect your company’s network and access business resources from off-premises devices or in the cloud, traditional network perimeter controls are no longer sufficient to protect your company’s information.

A recent study found that 68 percent of surveyed companies experienced one or more endpoint attacks that successfully compromised data and/or IT infrastructure. Cybercriminals and nation-states carry out increasingly sophisticated attacks on endpoints to:

  • Access valuable assets, including trade secrets or intellectual property
  • Exfiltrate data
  • Disrupt important services

The financial and reputational impacts of cyberattacks make it imperative for companies to take a comprehensive approach to endpoint security and use effective measures that combat modern cyberthreats.

While there are many different threats to endpoints, both internal and external, here are some of the most common:

  • Ransomware/Malware
  • Unpatched Vulnerabilities
  • Fileless Attacks
  • Compromised User Accounts

Following some endpoint security best practices puts the foundations in place to protect your networks from the range of cyber threats that inundate companies daily. These include:

  • Consistent Updates
  • Endpoint Security Tools
  • Employee Awareness
  • Detection and Response

Download the full Securing the Endpoint Guide below


Why An MDR Service Provider for Healthcare Organizations Makes Sense

Healthcare organizations collect and process a lot of sensitive data, making them a prime target for opportunistic cybercriminals. Managing security in-house is a complex undertaking, which is why many healthcare organizations look to outsource some or all of their security needs. Here are our top three reasons partnering with a managed detection and response (MDR) service provider for healthcare organizations makes sense.

#1: Security Expertise

According to ISACA’s State of Cybersecurity 2021 report, over half of surveyed organizations still have unfilled cybersecurity positions, indicating the cybersecurity skills shortage shows no sign of slowing down. By partnering with an MDR service provider, healthcare organizations can take advantage of expert 24/7 security monitoring, threat detection, alerting, and response services that they need to deal with constant threats like ransomware, without having to build an in-house security operations center (SOC).

Partnering with an MDR service provider for your healthcare organization is a more cost-effective way to have 24/7 monitoring of your networks and continuous access to security professionals. And a provider with extensive healthcare security experience will be able provide recommendations on how to quickly improve your security posture, incorporating practices such as setting up business context modelling, creating segmentation with trusted network zones and controlling access to critical medical devices and infrastructure.

By outsourcing your security monitoring, you don’t have to worry about these staffing challenges; you only have to focus on the actionable alerts sent by your provider and can spend the rest of your time on other priorities.

#2: Advanced Threat Discovery and Response

Due to the sensitivity of healthcare files and the critical nature of their services, cybercriminals use a wide range of techniques, including ransomware, phishing and web application attacks to target healthcare organizations. Compounding the problem is that healthcare organizations have complex IT infrastructures, often with multiple locations, diverse departmental applications and legacy systems, plus patient and physician web portals.

Choosing an MDR service provider for healthcare organizations can provide advanced threat discovery by combining expertise with industry best practices such as the NIST cybersecurity framework to ensure your data is protected.

Threat Detection Use Cases

An MDR service provider for healthcare organizations means you get access to their expansive industry knowledge as well as their already built large library of threat detection use cases. This library typically includes support for a range of security tools and vendors and looks for specific indicators of attack or suspicious behavior to better detect threats. A good security team will send you actionable alerts for any critical threats and provide you with recommended next steps and have more confidence you’re keeping your networks secure.

In addition, an MDR service provider’s use case library is constantly changing, with new content being added to keep up with the ever-evolving threat landscape. Best practices also suggest that outdated content gets removed or updated, to make sure logs are only being run through relevant and useful use cases.

It would be highly challenging for an individual organization, starting from scratch, to build up a matching use case library – and unless there’s a dedicated team working on adding and updating the content, there’s still a high probability of missing new threats. Modern MDR service providers have a team specializing on keeping their fingers on the pulse as new threats constantly emerge.

Threat Hunting

Many MDR service providers also have a dedicated team for threat hunting, so they can be quick to react to any new threats in the wild. A team that operates globally provides additional benefits as the teams in each region can communicate information about threats local to their environment that may help hunt down new threats before they gain a foothold in another region. This is an added benefit of an MDR service provider for healthcare organizations that wouldn’t be feasible with a small local team.

For example, the local team in Asia may find a healthcare organization in their region is the target of a specific ransomware attack. The team can communicate information about this attack to other regional teams who can proactively, and extensively, search their clients’ network for any sign of the same threat.

Automated Response

For quick containment of credible threats, MDR service providers may offer a Security Orchestration and Automated Response (SOAR) solution that provides further protection of your critical assets. Automated response solutions are created to look for high-fidelity threats and can stop attacks before they expose sensitive patient information or bring down critical IT systems, mitigating a potentially devastating data breach.

The MDR service provider continually tunes and refines their rules to make sure they can detect the most relevant threats. Automated actions may include blocking an IP address or a compromised device from outbound communication, forcing a password reset on a compromised account, quarantining a device from your network, or proactively blocking newly detected attackers found in other networks via threat hunting.

#3: Compliance

For healthcare organizations, ensuring continued compliance with relevant industry regulations like HIPAA creates additional challenges and workload for internal teams. Failure to pass a compliance audit can result in hefty fines and data breaches invariably lead to high legal costs, patient harm, and reputational damage. Research indicates that healthcare organizations incur the highest breach costs of all industries at $499 million per record breach.

A compelling reason to consider an MDR service provider for healthcare is that you can partner with a company that fully understands these specific data protection regulations and requirements. For many, the HIPAA requirements for data storage and paper trails are numerous and ambiguous; partnering with an expert can provide your healthcare organization with best practice guidance and audit preparation for HIPAA compliance so you’re better prepared.

In addition, many MDR service providers for healthcare organizations will also follow industry standard compliance practices, like SOC 2, that demonstrate that they follow strict information security policies and procedures. Partnering with a certified MDR service provider gives you added confidence your data is protected.


Choosing an MDR service provider for healthcare organizations may not be an easy choice for everyone. But in a world of ceaseless attacks, sophisticated threats, and high data breach costs, outsourcing your security monitoring to a dedicated team of professionals who can protect your patient information 24/7 often makes sense. By finding the right partner, you can find a cost-effective security option that will reduce your information security risks and strengthen your cybersecurity posture.

See how Proficio can help secure your healthcare organization.

Lessons Learned: Ransomware Attacks in 2021

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.


Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.



While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.