Name: Don’t Get Spooked by Cyber Threats
Uploaded: 2025-10-28T18:31:51.672Z
Duration: 43 min 4 s
Description: Don’t Get Spooked by Cyber Threats

Transcript for "Don’t Get Spooked by Cyber Threats": Hi, everyone. Welcome to join today's, webinar. I just give a few minutes for everyone to join. So, yeah, let's just give it two minutes to get started. Okay. Awesome. So, again, welcome everyone joining today's session. We'll have a Halloween style, SMB threat landscape webinar today. So we'll go through, the threat landscapes of the SMB, you know, category. And then, you know, we'll talk about a little about, you know, the latest threat and the way to find the best solution to address them. So today, be with me. It will be, so first of all, my name is Fungua. I'm the sales engineer of Sophos. Today, be with me, will be Jessica, our senior channel account executive, and Laura from our security, ops solutions engineers team. I also want to remind everyone, we do have a q and a box, which you can put your questions there, and then we can, answer all the questions at the end of today's session. So without further delay, I'll get started. So first of all, let's talk about the SMB strand landscape landscape, recently, especially in 2025. So, looking at the small business sector, they makes a big impact of the Canadian business. So, you know, according to Statistics Canada, we have 99% of the Canadian business. They're sub 500, and they are contributing to more than 50% of Canada's economy. But based on our research from last year, 10/2024, the 70 of the softwares is the response cases, whereas customers call in when they, you know, gather their breach, so for instances, instant response services jump in and resolve that for them. 70% of these cases are actually originated from small medium sized organizations. And among all those all of these threats, the ransomware is still the greatest threat. So, so far, we actually published a ransomware documentary in on YouTube, which is a story, you know, you can find a story of this doctor Sheila Cassell. So she's running her, family practices in California along the last thirty years. Until one day, when she tried to log in to her computer, and all of a sudden, she finds she won't be able to log in to any of her scheduling system, patient record system, and everything was blocked. The reason is just one of her employee click into a phishing email and surrender the credentials to bad actor. All her data were encrypted, and the result is pretty painful. She was forced to close her business, which she ran in the last thirty years. So, Larsa Will could be, you know, doing more damage than we expected. And beside closing her business, she might still have the other concerns of, you know, the patient's data in linked to the dark web. It could be leveraged to do more damage to those individuals because, you know, their house record, their personal ID, even their financial information could be related and could be leveraged by bad actors. So if you want to know more about ransomware and how bad it could be when you under attack over ransomware, find this think you know ransomware documentary on YouTube presented by Sophos. And talk about damage, this is from the Sophos's ransomware report 2025. Specifically, in the small medium sized organization, which in most cases, we're thinking about employee under 500, The damage could be up to 1,000,000, and the million, you know, even under two fifty, is over 600,000. Just imagine an organization running whole year, how many, you know, profit you can make from the business compare one hit, how much damage it could be. So definitely not something, you know, have been taken. It can be tolerable by small, medium organizations. So there's a few other, attack trend. It's also showed up in the last years. So I will just address that one by one. First of all, it's a remote resume attack. A lot of people doesn't familiar with this idea, and they are thinking the current endpoint protection solution has provided this to that. So, since 2022, we are seeing more than half of the successful risk attack. It's involved this remote risk attack, And 80% of them is coming from unmanaged devices. We'll talk about unmanaged devices real quick. So they are growing rapidly in the last couple years. So this is expand what's the difference between, traditional resident attack and the remote resident wire attack. The traditional one is originate from device where you might have endpoint protection agent on it. So the agent can identify this malicious encryption process and stop it right away from endpoint. Well, the remote ransomware attack, the attack is actually coming from a remote device, which could be, you know, a rogue device, a visitor's computer, or just a unmanaged device that's sitting at the corner of a network. So attackers, if they have access to these unmanaged devices, they can go through network sharing or through discovery to find any exposed resources on these other machines and then, you know, start the encryption. The traditional endpoint protection agent won't be able to detect these remote launched threats attacks from their machine because it's happening on another machine remotely. So, really need to look into, you know, how you can prevent this remote resident attack from happening. The other trend of in the last couple years is, dual use tool. Maybe use another term, you know, you might be more familiar with that, which is someone called it limit of the land attack or sharing IT. You will notice there's a lot of tools within your organization. You know, it's currently using by your IT team or your end users right now. This could be tools something like, you know, this discovery tools like IP scanner, assistance tools like screen sharing, AnyDesk, credential access tools, laser movement tools. You know, when I do health check calls with my client, I always see a lot of exclusions to p s exact PSQL, and most of them are setting up in the global exclusions, which is available to all the people, all the end users in network. This is not safe because when bad actors, they get access to one of the devices, especially, you know, if it's unmanaged devices, they don't need to bring in the code so they can bypass the protection. But they can just left the existing tools or system process like PowerShell to execute the malicious, you know, activities. It can easily bypass any existing protections because a lot of these tools already been excluded from the protection. So, you know, bad actors doesn't need to find a way to disable the protection or try to hide their behavior. They can just left the existing tool. Outmanned devices certainly create a lot of damage as well. So when I talk with a lot of client, they're complaining, hey. You know, I just can't upgrade this machine because it's more expensive, you know, to replace the machine, you know, to to upgrade it than buy a new one. But there are softwares running on this machine that I just cannot replace that. Or there could be some IoT devices or smart devices sitting in your network, which you are not able to install a protection agent on it. So, this is really, you know, really some concerns should be should be raised, because these devices, sometimes they are running old firmware. They've, you know, they could bring some critical vulnerabilities into your network. While you keep all your other versions up to date, these machines, you know, something like a a legacy Windows seven computer running some, you know, legacy applications, it could be bringing, you know, critical exposures to a network. And from our record of software MDR service, we have one set of breaches, involved with the unmanaged devices. Even you involve into certain levels of, you know, XDR or MDR solution because these devices are not managed in the platform. So they're staying invisible or invisible in the network. We're also seeing trend of advanced, you know, phishing or pushing types of attacks recently. And, actually, we softwares as a vendor, we experienced this phishing attack last year, talked into some of the softwares employees. Something I want to highlight here is besides they're using a QR code trying to trick the endpoint, the user, they are using the premlo platforms for the MFA and merge factor, you know, authentication. They proposed a fake CloudFlare verification page then at Microsoft MFA. So it looks really close to the real one. If you don't, you know, have experience. Just imagine one of your, you know, regular user, how they can figure out this is a fake website other than, you know, the the real authentication process they need to use. So talking about this, you know, trend of the attacks, let's see what's the root cause of these attacks. We're still seeing the vulnerabilities, at the top of, you know, about different, types of attacks. Just one example could be telling this is, we've written notice. Just one of the vulnerabilities has been exposed back in 2015. It's still widely used by the bad actors, which means there's a lot of systems still running, you know, outpatched in the environment. And the word business is the entrance of the bad actors, but the reason could be coming from various reasons. As you can see, you know, compromised credentials, malicious emails, and phishing, when they get into the environment. The one of it is is just a way they exploit the system or exploit the protection. But there's still, you know, a lot of attacking surfaces exposed in various direction. Emails, you know, network, endpoint could be exposed to you, you know, to these attacks. And besides the tactical perspective, let's take a look at the upper operational root cause of of the attack. There's the three major categories listed here. The first one is we are seeing 60% of NECCO protection. So pool quality protections exposed, which couldn't, you know, stop the attack. This could be you know, you are missing protections in one of the directions, because we do see people still using some, you know, basic protections of email side that just provided by your email provider. We're seeing, you know, people missing some, protections or visitabilities into, you know, the network traffics. We also see 6% 63% of the resource challenges, which is even you have the tool in place, just don't have the person, you know, with the appropriate expertise or experience to use these tools effectively. In fact, we are seeing, organizations even in SMB, we're using more than 20 security tools or IT tools at the same time. But instead, we only have one or two, you know, IT person in our IT team to use these tools and monitor that. We also noticed over sixty five secondurity gaps exposed, you know, in the threat defense. The security gaps could be, you know, gaps between different secure tools. You seek you well protected, but still, you know, there's something is missing, in your defense layers. So this also take us to the next topic, the cyber gaps, the cracks in the castle wall. I actually managed to find, you know, this picture representing our current layered approach of secure protections. This could be, representing, you know, for example, the authentication process you have, you know, for any VPN users or end users, you know, need to log in to your network. You have strong defense on your network edge by firewalls. You know, you name it IP access. You, you know, only allow certain, you know, traffics to be transferred through. You have, you know, monitoring tools. You run-in different, you know, reporting platforms. You know, you have enhanced protection to your server farms. You know, you have layer approach out there. Sometimes somehow, you know, this picture popped up recently. It's last week. The bad actors just using this elevator, move to the Second Floor, and break through the window. No alarm triggered, and they can you know, the the criminals actually take nine priceless juries from this the Louvre Palace. This castle is supposed to be well protected. They have all the other ones' protection matter. Right? Actually, weathered this palace last year. They have security dogs. They have know, patrols walking around. I believe they have, you know, lamps on doors and windows. But somehow, this window on the Second Floor was not protected, and even, you know, there's no alarm, they trigger when bad actors get in. So this really allow us, you know, just some gaps could be existed in your environment, which you are not aware of. So, in that case, we I will introduce our next presenter, to tell you a few, you know, case studies of, the horror story with a happy ending. Awesome. Thanks, Zing. Awesome. So I'm just going to go over a real life scenario that happened. If you can go to the next slide for anything. So this was an organization that worked in agriculture. They did some programming for other agriculture organizations. So lots of important information, and data here, that they had for other organizations, let alone their own. As you can see, it was a small, organization, only 10 endpoints and three servers, and they were breached right before Christmas. So you're gonna see a lot of, threat actors come during times that you're caught off guard. So not paying as much attention. People are busy during holidays. So this happened 12/18/2024. So what happened was an employee fell victim to a phishing attack. They clicked on something in an email they shouldn't have, and the threat actors got in, and they were undetected for quite a while. They were moving around in the systems for for months, wreaking havoc, looking at all the information, looking at all the data, and then they eventually encrypted everything up, locked up their systems, and left a ransom note. Acura is a really well known, ransom group, and that was them that left that ransom note. That's when Sophos was engaged with our emergency incident response. That's kinda like our 911 button that gets our, teams on the fly helping these organizations get out of this mess. So our Sophos 911 was called, and we came in and started the recovery process. Took several weeks. Luckily, this was during the winter season for this agriculture organization because it was their slow season, so it wasn't too bad of an impact. But they still needed access to their documents and data and information, so they had their cyber insurance company help with negotiations for the ransomware, and they eventually negotiated with Acura and had to pay a ransom of a $185,000. Acura then let their data, be released and unencrypted everything, and they made the promise that they won't release any of that information to third parties as well. So that's a scary, spooky story for you, a real life scenario that happened and Sophos was involved in helping them out. And we eventually rolled them over to our Sophos NDR. And, it was interesting because they paid around $30,000 for the incident response. And if they had had our MDR solution in place, it would have been a fraction of that. Next slide, please. Awesome. So we're just gonna go over why MDR, that's our managed detection and response, is a treat, not a trick for SMBs. So these are some of the benefits of having an MDR solution in place. It keeps your business running. So even during a cyber attack, if you have MDR in place, things get resolved faster, things get detected, avoids a complete nightmare of, you know, your systems going down and having to halt operations. It helps you qualify for and keep cyber insurance. So self explanatory. A lot of the time, if you have an MDR solution in place, it checks off all the boxes of getting your application approved. It also lowers premiums. And in case there is an incident, it helps, with reporting to get your claims and get us payouts faster as well. Next slide. Awesome. So 24 by seven protection without hiring a full IT team. This is especially beneficial for SMB. Of course, we can't always have, you know, a big team of experts, so having somebody watching your systems 24 by seven is super helpful. It detects problems before they become disasters. Again, it spots suspicious activity early before anything goes down. So it's also human led, so you're not relying on just software alone. And it also builds customer trust and compliance. This is a big one. So it helps meet industry and privacy requirements automatically. It helps protect your reputation, and it also shows all the people involved in your organization that you are taking data protection seriously. Now I'm gonna pass it off to Laura to tell you a little bit more about MDR and how to pick your monster hunters. Wonderful. Thank you so much. So it is Halloween, so we need to have those monster hunters ready. So one of the things that I also like to think about, as Jessica was saying, back to that story, they came in through identity, through email, through going through and having these other locations that these threats are trying to come in through. So we wanna take a look at your security. Is it a haunted maze? Are you looking at all of these different consoles? Are you looking at your email, your firewall, your endpoint protection? And we wanna make sure the fact that they're not ghosting each other. We wanna make sure that they are going through being able to communicate and integrate with each other. Next up, do you have full transparency to that data? One of the things that I find important is not just going through and making sure that you have protections in place, but do you have full visibility to look into any types of these concerns? Do you have access to it in case there is something that is happening within your environment or if you ever need to pull it for compliance and audit reasons? And, also, talking about the story earlier, this happened around Christmas. If you think about threat actors, they like to go through and target when it is least opportune for you and most opportune for them. This means times like weekends, holidays, Halloween, Christmas. I see a huge surge happen around these times because they know the fact that this is when you typically need to go through and be able to step away from your computer. All of us like to have our weekends. We like to be able to go through and go home at night and hopefully sleep. And we don't want you to go through and have nightmares about what's gonna be going through and happening to your environment. So you need to make sure the MDR provider is providing weekends, nights, holidays, and those times that are gonna be extra opportune for the threat actors out there. Additionally, one thing to think about when you choose an MDR provider is what level of action are they gonna go through and take. When you're going through and thinking about incident response, response is one of those keywords that changes per provider and vendor. We want to make sure the fact that when we're talking about response, you're on the same page as them. Sometimes for different vendors, response means sending you an email and alerting you, maybe giving you a call. But a lot of times, the instant response plan or the actions taken is on your plate. So when you think about response, are you looking to go through and have a fire alarm go off? Are you looking to go through and have the fire department call you? Are you looking for them to come and put out the fire or do a full fire investigation including the root cause of where did this come from, and how did we go through and put out the fire? Where did it go through and originate from? And were there any other fire concerns? Additionally, a lot of businesses have compliance requirements, whether that's gonna be HIPAA, PCI, SOC, going through and aligning to other frameworks like NIST. And you wanna make sure that the solution is gonna help you meet your compliance needs. One of common compliance requirements is continuous monitoring or or going through and auditing records to make sure the fact that they are being reviewed. MDR will go through and hit those compliance requirements. And last, but certainly not least, is do the reviews align with your cybersecurity goals? So going through and making sure the fact that when you're talking and looking into an MDR provider, you wanna make sure those reviews are glowing more than a jack o'-lantern at midnight, going through and shining brightly, highlighting all the differences between what you're looking for and what they're providing, and you wanna make sure that they're aligning. Speaking of MDR, I wanted to go through and touch on what is Sophos MDR. We're gonna be the ghostbusters of cybersecurity providing managed detection and response. This is a fully managed twenty four seven service provided by experts who are gonna be going through and specializing and not just detecting, but taking response actions to cyberattacks. As Feng talked about earlier, traditional cybersecurity solutions will go through and have an endpoint in place, which you'll go through and block most threats. But, unfortunately, the threat actors are becoming very sophisticated using those living off the land techniques and going through and getting the users to click on links or fall for phishing emails. And these are gonna be attacks that just one solution alone isn't gonna go through and prevent. You really need go through and have those specialized experts identify when this is gonna go through and be a hands on keyboard threat actor. Sophos MDR is gonna dramatically reduce your risk. The reason why is because we are providing that twenty four seven coverage, whether that's gonna be weekends, holidays, nights. You're gonna have eyes on your environment, alerting, and hands on keyboard response. On average, we're going through and responding within thirty eight minutes. That's very quick as compared to the fact that a lot of solutions in house may take up to sixteen hours. And especially when the dwell time for a threat actor is going down, you need quick hands on keyboard response. And we have hundreds of experts available because of the fact that we are operating twenty four seven. We have over 35,000 customers globally, anywhere from customers that are just one person all the way up to thousands of users in the company. So we're able to go through and provide that security for the smallest of companies to the large companies as well, especially specializing in small and medium businesses because of the fact that we understand that you may not have somebody that can be there twenty four seven. You like your sleep? We wanna be able to go through and make sure you have that peace of mind. No nightmares. We're going through and performing thousands of investigations and constantly going through and stopping attacks every day. So how are we doing that? Well, like I mentioned, we are monitoring for those advanced threats twenty four seven. We're not only just going through and identifying, but fully doing triage, investigating, responding to these different threats as well as proactive response as well. So we're going through and not just through hunting, but if we're seeing trends in the industry, we perform proactive threat hunts. We're going through and getting this data not just from the endpoints and servers, but across your full environment. We're going through and pulling that telemetry and taking action on it, and we're identifying those root causes as well. So not only just knowing the fact that the threat has been mitigated, but knowing how it came in to make sure it doesn't happen again. I talked about being able to pull in data from multiple telemetry sources, and these event sources are all the way from endpoint and server, but also from network aspects, whether that's gonna be if you have some sort of network detection response in place from your firewall, email, cloud environments, identity if you're using, like, Okta and Duo, backup, and productivity tools, for example, Microsoft and Google. We're actually able to pull on those m three sixty five detections, correlate them, and go through and create our own detections based off of the data that we're ingesting. And it's not just limited to Microsoft three sixty five. When we're going through and ingesting that data, it's not just sitting there. We're parsing through it, normalizing it to the MITRE ATT and CK framework, and correlating it between data sources. So even before it touches an endpoint or server, we can see an attack coming from email or from your firewall. And then we're enriching that with our knowledge because we're going through and having over 600,000 customers. We're enriching it with the data from our ex ops team, creating those detections, prioritizing it, and investigating. So it sounds like a lot and a long time, but the detection goes through and comes in normally within one minute. We're investigating, providing information, hands on keyboard to go through and figure out who, what, where, why, and how, providing in that threat intelligence and full scale incident response. So as a summary, just real quick here, I wanted to go through and summarize what is going on within the threat landscape. Ransomware is gonna be a top threat, especially remote ransomware, and not every security solution provides protection against the remote variants. Sophos endpoint does include protection against that, and our MDR team is skilled at investigating them. Small businesses are heavily impacted. They're a lot easier to target for organizations because of the fact that they may not have all the security tools in place that a large organization would. Unfortunately, there's a large number of businesses that are targeted every year, especially due to unmanaged devices and vulnerabilities. We're also seeing a lot of phishing techniques used, whether that's gonna be phishing, phishing, deep fakes, so going through and impersonating. And what we recommend is going through and having managed detection response to provide protection, not only against the emerging threats, but also through insurance benefits as well. So what can you do? Well, let's jump to the next slide. If you do have any questions or concerns, you can reach out to Jessica. But, additionally, what I would recommend doing is identifying if MDR would be a good solution for you and your organization. Awesome. I think we're gonna open it up to q and a. I see a couple of questions in the q and a box. So the first question being, for a business that relies only on SaaS based service, no on prem architecture, can an unmanaged device exploitation result in identity theft or unauthorized access to these so called SaaS services? I'm gonna let Feng or Laura handle that question. So the short answer is yes. And it really depends on your organization and how it's set up. If you think about it, Microsoft three sixty five often is utilized as a single sign on to a lot of these applications. So if you are going through and thinking about your Microsoft three six five, especially if it doesn't have two factor authentication on there, somebody goes through and types in their credentials where they shouldn't. In fact, I have a real life story about this. There was a company that had a user on their personal machine, on their personal email, click on what they thought was a work related email, and they put in all their work information. So their email address, their password, information about their work to log in to this illegitimate work link. And so if you think about it, in that situation, that user's account was compromised. And if the SaaS applications can go through and utilize those credentials, absolutely. There's the ability to perform that breach as well as go through and perform data exfiltration. Because it's not just ransomware that's a concern. You have to think that when you're going through and having access to the sensitive information that's in email, whether that's gonna be customer information, whether that's gonna be wire transfer information or customer relation management portals, they could go through and exfiltrate that information and sell it on the dark web. So, yes, it is important to go through and have that in place, and you can go through be breached on SaaS applications. Thanks, Laura. So Canadian business businesses are a lot smaller than that. Average is less than 20. Yes. Our SMBs in Canada are a lot smaller. That's why the case study I chose was by design, 10 users. But it's not about this necessarily the size of the organization. It's, you know, how much their data and information, how critical that is. You know, these threat actors and these ransomware groups are highly sophisticated organizations as well. So they are very well versed in making sure they know how much money these organizations are making, how much they're capable of giving over for ransom. So this is very relevant to sub 20 organizations as well. I would say it's especially important. Oh, go ahead, Faye. No. You continue. I can add on. You know, it's especially important because when there's only 20 people on average, generally, there aren't these sophisticated security controls in place. So the threat actors know the fact that it is typically easier to target these organizations. They'll go through and do open source intelligence to find out information, scans across the environment, and then go through and target them because it's a lot easier to target a lot of small organizations than one large one. Additionally, real quick, as far as, relevant statistics, the ransomware report, state of ransomware 2025, does go through and have information. It is all the way up to 250 for the small organizations, but I've seen from personal experience helping out with incident response that a lot of these organizations that are targeted are quite frequently around 25 people. Yeah. That's a great point. Yeah. Smaller organizations, usually, they have a smaller IT team, and they have less defense and capability to match their security postures. But, also, I want to point out, you know, when I talk with Canadian based small medium sized organizations, one sentence they always bring up is, you know, we are on the radar. Like, we are too small to be targeted. And the fact that is no one is too small to be targeted based on, you know, what's the what's the impact to your business if you're if the breach gonna happen. Right? How how the parts of the business gonna cost you? And, also, it depends on, what other data you're hosting. And are you if you are in financial sector, even you are, you know, just a a company provide mortgage, you will have a lot of financial related data, which is pretty valuable, you know, to bad actors. So they think it's valuable even you are smaller organization. And this could be very, you know, costly, in terms of the impact to your business. So, I would try to, you know, talk with customers about, you know, this part, like, the the value of your data. Like, it doesn't matter, you know, what's the size of your company, and the cost of your business, how much that would cost if you've been hit by the by breach or a ransomware attack. Additionally, small organizations can be targeted because they can utilize that as a leverage point to other organizations as well. So going through and getting into a legitimate email from a small company. But if they can go through and fish a bank or a partner or a vendor of theirs, then they can go through and utilize that as a chain to do bigger attacks. That's a problem. Like a yeah. Kinda like a ref referral program. It's funny when I Actually the information for the the case study, one of the questions I had was when Akira promises not to, you know, release the organization's data to third parties, I'm like, how do you know that they're gonna be good on that promise? And it's because they themselves are their own business. So they take your ransom. They take that a $180,000. They promise not to release your your data, and they make good on that promise because they want you to make that referral to the other small businesses they're they're gonna they're gonna breach. And, so they want people to know that if you pay the ransom, they'll be good on their word as well. Ransomware is a business, unfortunately, at this point as well as ransomware as a service. But I could deep dive into that much longer. Do we have any other questions? If not, we thank you for making it out today, taking the time. This is part of the puzzle, a piece of the puzzle in awareness, so I applaud you all for attending today. And if you have any questions, again, my email is in there, jessica.kornelson@sophos.com. Reach out to me, and we are happy to help. Have a great day, everyone. Take care. Thank you. Alright. Thank you for joining.