Platform

Unify HRM Overview

Platform

Capabilities

Identify: Human Risk Operations Center (HROC)
Dashboards

Power Insights

Benchmarks

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report: Human Risk Index (HRI)
Employee Scorecards

Manager Reporting

Board and Executive Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

January 22, 2021

3 Hacks from 2020 that (Probably) Could Have Been Avoided with Better Security Awareness Training

There’s no denying that 2020 was a year of confusion and stress for both individuals and companies alike.

The COVID-19 pandemic created a playground for bad actors to capitalize on vulnerabilities— particularly, praying on unsure work-from-homers and the newly found security gaps that came with a sudden shift to remote operations.

Hackers game of choice on the coronavirus jungle gym? Targeted social engineering schemes. But while some companies fell for the employee-focused scams, their lessons serve as a blessing for others— empowering us to learn from their mistakes.

Let’s take a look at three big hacks in 2020 and discover how the cyber bullies played dirty. With an understanding of how they did it and the right resources for your team, we’ve got the secret to strengthening your security in 2021.

The Garmin Ransomware Attack

Sport and fitness tech brand Garmin found themselves in hot water over the summer of 2020 when customers were locked out of their applications and tools from a hard hitting hack. With their website down and an influx of confused users, Garmin quickly discovered they were amidst a ransomware exploit. The company would have to pay a hefty $10 million ransom to gain control back to their website, app, and seized files.

After a month of downtime while Garmin noodled on a solution, the GPS company was backed into a corner. Despite the possibility of penalties, Garmin allegedly rallied financial support from another firm to pay the full ransom.

While they got their access back after fessing up the fee, Garmin is still trying to understand what information could have been compromised during their system lockdown, despite complying to the bad guy’s demands.

The Need for Security Awareness Training

This ransomware attack limited Garmin’s service providings for weeks, causing instant repercussions with current customers and unpredictable damage to the tech brand’s reputation and future success.

The reality is, ransomware compromises usually start with a social engineering attack. Hackers often phish employees to gain access to juicy information that could help them breach secure systems. That’s because big name brands usually have top-notch technical security measures, which are hard for cybercriminals to crack. Social engineers often know that with the right pretext they can squeeze important information out of employees, who give them the insights they need to crack passwords or find backdoors in systems— so they can sneak in unnoticed instead of breaking down digital defense.

All of this may have been avoided had Garmin empowered their employees with the right cybersecurity awareness training. With the right insights on what to watch out for, their team could become one of their greatest security assets, instead of a brand’s weakness.

The Twitter Bitcoin Scam

Mid July of 2020, many prominent account holders on Twitter simultaneously tweeted unusual Bitcoin-related statuses. From political figureheads like former U.S. President Barack Obama and then Democratic presidential candidate Joe Biden to notable celebrities and large corporations like Apple and Uber, 130 high-profile Twitter accounts posted about a Bitcoin scam.

The tweets promised followers that if they clicked a link and sent a Bitcoin donation, the generous account holder would double the contribution back. Wait, if I give you $1,000, you’ll send me $2,000 back? How could you say no?

Hundreds fell for the scam and donated their money to these hackers’ shared account, but— as you may have guessed— no money was returned like promised. Once word of this mass compromise spread, many account holders were able to take down the fake posts within minutes of posting, but dozens of users had already fallen for the ruse. Luckily blacklisting the links stopped over 1,000 transactions, totaling over $280,000, from being sent, but enough damage was already done.

The Need for Security Awareness Training

Twitter itself revealed that this flashy attack was the result of a mass social engineering exploit, targeting employees who had high permissions to sensitive internal info. While specific details of the attack weren’t revealed, it’s likely employees were either tricked into sharing important info that gave the attackers a doorway in, or Twitter employees accidentally downloaded malware.

Twitter’s high-access employees may not have fallen for either had they been involved in deep cybersecurity awareness training. Armed with examples of phishing schemes or a better understanding of the tactics hackers use to manipulate employees, their team may not have been fooled by these hackers’ tricks.

The Universal Health Services Ransomware Attack

Towards the tail end of September 2020, hospital and healthcare companies using Universal Health Services (UHS) software ran into some real problems. Workers across more than 250 hospitals across North America were booted out of their important logins and blocked from getting back in, according to BusinessInsider. To boot, phone lines were compromised and healthcare professionals were left without crucial documentation and communication tools to do their jobs.

All systems were quickly disconnected to prevent further breaches. Staff documented what they could by pen and paper, but most software-reliant operations grinded to a complete halt. At the affected sites, surgeries were postponed and ambulances diverted to other facilities. Chaos ensured for days.

The compromise was confirmed to be a ransomware attack, like the cyber breach that affected the Garmin case above, where the bad guy locks access to important files until the victim pays a high-dollar ransom. Ransomware attacks on electronic health record (EHR) systems usually average an alarming 15 days of downtime, and UHS was no exception— not getting full functionality back until Oct 12th. While no patient data was compromised in the attack, the disruption was undeniable.

The Need for Security Awareness Training

While it was not confirmed how exactly the breach began and the investigation still continues, ransomware attacks are often the result of social engineering scams. In the case of UHS, this Fortune 500 hospital and healthcare services provider had a 400+ facility network, where a goldmine of data was housed. Luckily, it doesn’t appear that hackers were able to access patient information before they were booted out, but the possibility was too close for comfort.

By requiring cybersecurity awareness training for all UHS staff and users of the interface, they could have drastically lowered their chances of falling for a phishing scheme or clever ruse that helped hackers gain the permissions they needed for a system breach.

A Better Approach to Security Awareness Training

Some companies avoid training programs like COVID because they’ve watched it fail time and time again.

But what if we told you that we’ve cracked the code and know how to get your team invested in cybersecurity awareness training once and for all?

There are new trends for empowering and exciting your team about your security initiative, and we’ve got them packaged with a bow in our 7 Essential Trends Of Human Risk Management for 2021 guide. Give it a read for free, today.