Cybersecurity Ventures released a new report that claims cybercrime is going to cost the world $8 trillion in 2023. If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China.

The number sounds outlandish, but they stated: “We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics which convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it.

LastPass divulged that although user’s plaintext passwords were not accessed, what the hackers did get included the following information:

In summary, if your LastPass password was at least 12-characters long (the current LastPass default), contained some complexity, wasn’t an easy-to-guess password, and was not used on any other site or service, then you’re probably OK. If not, you need to immediately change all your passwords, both the LastPass master password and all the passwords you stored in LastPass.

However, the plaintext information that was stolen (listed above) is incredibly useful to any hacker doing social engineering and phishing. It allows an attacker to specifically target (i.e., spear phish) a potential victim using information not known to the general public and other hackers.

For example, with a list of the web sites that someone logs onto, a phisher can craft specific phishing emails that pretend to be from that web site. It could include the user’s name, telephone number and mailing address. Each added detail adds to the veil of false legitimacy to a social engineering email. Each included detail increases the percentage of people who will become victims.

The sky is the limit on the types of spear phishing scams that can be created and delivered using the information that was stolen in the LastPass breach. Kudos to LastPass for making sure the most critical user information, the user’s passwords, were stored in an encrypted state.

But this breach, like all the others before it, are calling into question about what type of user information should or shouldn’t be considered “critical information” and always stored in an encrypted state. If the information can be used to identify or contact you, it should probably be encrypted by default.

LastPass users were relieved to learn that their stored passwords were not directly compromised, but what information was taken by the hackers is likely to have spear phishing repercussions for years to come.

To start off I’m repeating the tradition of my same New Year’s wish as a newsletter editor since 1996: “A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights”.

At the end of the year I spend a few days reading all the IT security pundit’s 2023 predictions and synthesize them with my own perspective. The Crystal Ball editorial is the shortest of the year and takes the longest to write, but it’s fun.

President Ronald Reagan once said, “The future doesn’t belong to the fainthearted; it belongs to the brave.” Sci-fi writer William Gibson added a few decades later: “The future is already here, it’s just unevenly distributed.” So, what will come next in our world of cybersecurity as we head into 2023?

The industry as a whole covered the following topics: This year will bring significant shifts to the world of cybersecurity. We could very well see a barrage of nation-state cyberattacks inspired by Ukraine’s hybrid hot- and cyberwar, an increase in MFA attacks, innovative strikes against drones and space vehicles, and skyrocketing social engineering attacking social media with deepfakes.

As the reach of hacktivism continues to expand, organizations are being compelled to look beyond endpoint solutions and invest in new “umbrella” platforms like XDR, Managed XDR and HDR that can help them manage increasing Infosec complexities. Furthermore, ransomware is expected to remain a major threat as malicious actors experiment with new, even more damaging forms. We must be especially vigilant when it comes to emerging technologies such as self-driving automobiles, humanoid robots or the Metaverse that highly likely will provide cyber criminals with new attack surfaces. It is sure to be an eventful 2023.

As usual, I’m donning my asbestos undies, so you can safely flame my poor behind after reading the new 2023 predictions. Good riddance of ‘annus horribilis’ 2022 which was the year of permacrisis.

In “The Big Lessons From History”, financial writer Morgan Housel sums it up succinctly: “Risk is what you don’t see,” and “The riskiest stuff is always what you don’t see coming.” All the more reason to keep your eyes peeled and send monthly simulated phishing tests to keep your users on their toes!

Frustrating for both users and administrators, password management can be a challenge to manage in any organization. One lost or stolen password may be the crack in your organization’s foundation, allowing an attacker to slip in.

Conventional password recommendations have held that regular changes and lengthy and complex passwords would keep attackers at bay. Many guidelines have been published, but in recent years, conventional wisdom has been changing.

One such guideline, initially published in 2017 but updated in 2020, is the NIST Password Guideline Standards (NIST Special Publication 800-63 Revision 3). A significant change included the removal of the prior recommendation for regular password changes.

The Good and Bad of Password Resets

Despite NIST recommendations to not regularly rotate a user’s passwords, this does not mean there are still no valid reasons to use password resets. Below are some pros and cons of when password resets make sense and where they may fall short.

Pros	Cons
Regular password resets mean a stolen password is suitable for a limited time.	A user is more likely to use a typical password pattern leading to insecure passwords.
When a breached password is found, forcing a password reset ensures users do not continue to use insecure passwords.	An organization can avoid future resets by checking for breached passwords on a password change.
Lost devices should necessitate a password change to ensure that a cached password is not used.	Multi-factor verification makes a lost device more a nuisance than a security issue, especially with encrypted devices.

With all of these potential scenarios, how do password resets schedule or unscheduled cause real economic and productivity damage?

The Ever-Increasing Overhead of Password Resets

Many users dread a password reset. There is always a cost, whether it is due to a procedure or a problem. Imagine the scenario where a user is about to start the workday but needs to rotate their password due to company policy. This is not uncommon, as many users wait until the last minute for a password change, leading to locked-out accounts and longer-than-expected password resets tickets.

In studies, the Gartner Group found that between 20% and 50% of all help desk calls are for password resets. Not only that, each password reset can typically take between 2-30 minutes for a fix. The time and cost savings that a helpdesk could realize with a decrease in password resets means an increased focus on the more complex problems.

The increased interconnectivity of systems often compounds these time commitments. For an authentication system like Active Directory, a password reset would mean that the user account password change must be replicated to all connected Domain Controllers (DC).

With more remote workers, this may mean that the DCs are geographically spread out, leading to longer replication times. Adding additional subsystems in the mix, some even with manual synchronization, can compound the problem even more!

Any user facing the prospect of 30 minutes or longer time to resolution for a password reset will do whatever they can to avoid that. How might users avoid password reset issues? Instead of choosing a strong password, they may opt for one easily remembered, such as a repeating pattern. Or, they may write down the password, often leaving it in an insecure location.

Reset Password Sends Productivity Down the Drain

What happens when a user misses the window to reset their password or forgets the latest password because of how many recent changes there have been? Not only does the user need to reach out to the already overworked helpdesk, but they are stuck waiting for a resolution rather than working in the meantime.

Plus, when a user is locked out, the password reset takes priority over other vital tasks since that user can no longer work. Any organization’s priority would be to get that individual productive once again. Thus, a password reset necessarily diverts a helpdesk’s attention.

As recent years and studies have shown, the move to more remote work is not lessening. 58% of Americans reported having the opportunity to work from home at least one day a week. A potential benefit is more flexible work hours.

There are many benefits to flexible working hours, both for employees and employers, but this also means that when a password reset is required, it may be outside helpdesk hours. Without assistance, the employee is stuck until the next day, potentially leading to even more productivity loss.

How Password Resets Hurt the Bottom Line

Moreover, passwords can be an expensive burden for organizations of all sizes. Forrester Research states that the average help desk labor cost for a single password reset is about $70. This does not consider the lost productivity for a user, compounded by the many password resets done in a given year.

According to a Yubico-sponsored report the average user spent 10.9 hours a year on password resets, leading to an average loss of $5.2 million a year in productivity for a 15,000-user organization (based on a $32-an-hour average). The Yubico report focused on the end-user, but that’s not only where the time investment lay.

For IT helpdesks, a Onelogin study found that over 37% of companies spent more than 6 hours a week on password resets. That is time a helpdesk employee could be focused on other more critical tasks, or even lead to an organization needing fewer helpdesk employees overall!

Self-Service Password Resets Save the Day

With all of these challenges, what can an organization do to lessen the impact of password resets? One step would be to implement the latest NIST guidelines and do away with regular password resets. But, a user will inevitably forget a password, or an unrelated breach may also lead to a compromise.

The best way for an organization to save time, money, and productivity is to empower the users with a self-serve password reset solution. Specops uReset offers a variety of features to allow users to reset their passwords without the need for a time-consuming and potentially expensive IT helpdesk call.

Update the cached credentials of remote users to ensure the continuity of work
Accessible from any web browser, the Windows login screen, or the uReset mobile application
Verify identities with a choice of over 15 identity providers
User enrollment enforcement and auto-enrollment options

Password resets, while a necessity in some cases, are highly capable of self-service with a lessened impact on the helpdesk and an organization’s bottom line. Luckily, you can test out Specops uReset in your Active Directory to experience a secure self-service password reset solution.

Sponsored and written by Specops Software

The international ransomware group LockBit claims to have stolen 76 gigabytes of data from the California Department of Finance. The data is said to include confidential and financial documents, and other sensitive information.

(TNS) – California officials are investigating a cybersecurity incident at the Department of Finance after a global ransomware group claimed it stole confidential data and financial documents from the agency.

The California Office of Emergency Services on Monday said in a statement that the state Cybersecurity Integration Center is actively responding to a cybersecurity incident involving the California Department of Finance .

Cal OES describes the threat as an “intrusion” that was proactively identified through coordination with state and federal security partners.” The statement did not provide any specifics about the nature of the incident, who was involved or whether information or data had been taken.

Screenshots from the group’s website show it claims to have stolen 76 gigabytes of data, including “databases, confidential data, financial documents, certification, court and sexual proceedings in court, IT documents and more … ”

The DOJ reported LockBit appeared in January 2020 and has threatened at least 1,000 victims in the United States and internationally. It described the group as “one of the most active and destructive ransomware variants in the world.”

A new survey of government office workers across the world found that “digital natives” — those who grew up with modern technology — are actually more likely than older employees to exhibit bad password habits.

The Good and Bad of Password Resets

The Ever-Increasing Overhead of Password Resets

Reset Password Sends Productivity Down the Drain

How Password Resets Hurt the Bottom Line

Self-Service Password Resets Save the Day

The international ransomware group LockBit claims to have stolen 76 gigabytes of data from the California Department of Finance. The data is said to include confidential and financial documents, and other sensitive information.