With Halloween just around the corner, lots of people are looking for chills, whether through watching scary movies or visiting haunted attractions.

But the real terror lies in cybercrime, where cybercriminals never sleep and you never know if or when a data breach will make your life a nightmare.

Need proof? Check out these terrifying statistics:

We spoke with some of these companies to find out what’s behind these scary statistics.

Ben Goodman, senior vice president of ForgeRock, said the opportunities that emerge with consumer PII are seemingly endless. Once PII is compromised, it can easily make its way to the dark web where it can be used for identity theft, synthetic identity creation and robotic account takeovers, he said.

ForgeRock’s Ben Goodman

“While enterprises continue to invest heavily in information security products and services to defend against threat actors, they are struggling to neutralize cybercriminals’ abilities to exfiltrate consumer PII,” he said. “It is essential that enterprises critically evaluate their identity and access management (IAM) strategies, practices and solutions to ensure they are adequately protecting their users’ PII.”

At a minimum, enterprises need to consider MSSPs and cybersecurity providers that provide modern, intelligent authentication methods that move beyond simple username and password, and provide fine-grained authentication to protect and secure resources, Goodman said. This needs to be a top priority for enterprises of all types and industry sectors as cybercriminals show no sign of slowing down, he said.

Stephan Chenette, Attack IQ’s co-founder and CTO, tells us organizations must have in place a solution that continuously assesses the viability of their security controls to make sure that they are enabled, configured correctly and operating effectively to thwart attacks and prevent data leakage.

AttackIQ’s Stephan Chenette

“Cybercriminals are continuously looking for gaps in security defenses and overlooked basic security misconfigurations,” he said. “Channel partners provide enormous value in offering trusted recommendations to enterprises on their security needs, and the AttackIQ platform helps these providers determine specific needs of their customers and continuously validate whether new and existing security controls in customer environments are operating as intended.”

Jacob Serpa, Bitglass‘ senior product marketing manager, tells us some organizations have a misguided belief that they are not likely to be a target for hackers and, consequently, assume that they don’t have to worry about cybersecurity as much as …

… other companies.

Bitglass’ Jacob Serpa

“There is a misconception that larger or more widely known organizations represent a more lucrative target and that hackers are more likely to focus on them,” he said. “However, companies of all sizes, both public and private, can be prime targets for hackers if they have inadequate protections in place — no matter how ‘under the radar’ they may believe themselves to be. Additionally, cybercriminals will often target organizations that they believe have large amounts of desirable information (such as health care, financial services or government entities).”

When implementing BYOD, it is essential that organizations add proper security controls at the same time, not weeks, months or years after the fact, Serpa said. It’s also important to remember that insider threats come in many forms — some are malicious, while others stem from carelessness or poor security practices exhibited by employees throughout an organization.

Security controls that can help prevent insider threats and their resulting data breaches include:

Vade Secure Unleashes Computer Vision Engine

Vade Secure‘s new Computer Vision Engine, now available in all of its products, aims to enhance phishing detection accuracy.

Trained to view web pages and emails as humans see them, Computer Vision Engine identifies brand logos, machine-readable codes and text-based images, thwarting phishing attacks designed to bypass content filtering technologies and even computer vision algorithms relying on template matching or feature matching.

Adrien Gendre, Vade’s chief solution architect, tells us the core email security service his company’s partners are providing to their clients has been improved, with no additional cost and no additional effort/configuration required on their part.

Vade Secure;’s Adrien Gendre

“It just works,” he said. “The MSP has one action to define the antiphishing policy and they transparently receive periodic updates with new, innovative technologies; thus, they’re constantly offering their clients better protection. Moreover, the way the technology works addresses a common issue MSPs face with every day — complaints from end users who report a threat one day and then receive what appears to be the exact same email the next day.”

Other computer vision algorithms that rely on template matching or feature matching can only detect exact matches of images, Gendre said.

“Essentially, the original image has a signature and the algorithm will only recognize images with the same signature,” he said. “By analyzing the rendering instead of the code, Vade’s Computer Vision Engine can accurately detect logos and other images, such as …

… QR codes and text-based images, even when they’ve been modified from their original form and thus have a unique signature.”

Cybercriminals Target Google Infrastructure

A recent Office 365 phishing campaign showed that threat actors are switching tactics to include the use of Google infrastructure, according to eSentire.

On Oct. 16, both eSentire and external sources observed the use of Google storage to host phishing pages. The use of Google infrastructure has been implemented by malicious hackers in an attempt to bypass standard email protection.

Multiple phishing pages have been identified using storage.googleapis.com to host Office 365 credential phishing pages. These attacks are similar to previous phishing campaigns which exploited blob[.]core[.]windows[.]net and azurewebsites[.]net to host phishing pages, according to eSentire. Preliminary investigations show that multiple phishing campaigns are employing a similar prefabricated phishing kit.

Sean Blenkhorn, eSentire’s chief product officer, tells us this is just another example of the continuous game of cat and mouse that security providers and threat actors play. One of the biggest benefits of managed detection and response (MDR) is the around-the-clock threat hunting that is always being conducted, he said.

eSentire’s Sean Blenkhorn

“The real risk from campaigns like these come in the early hours and days they are deployed where organizations relying on traditional security vendors are left exposed while waiting for updated signatures on their email protection platforms,” he said. “Now that the details of the campaign are public, it is much easier for organizations to protect themselves, but there is no guarantee that 100% of phishing attempts using this technique will be detected. As with any phishing attack, the weakest link is always going to be the people within an organization, so the best way to defend against any attack is going to be educating your employees on ways to identify and avoid phishing emails.”

Attacks specifically targeting MFA have been identified in the wild, but employing MFA is still considered a best security practice for preventing account compromise, according to eSentire.

Forcepoint Expands Web Security Availability

Forcepoint says it now offers the industry’s most expansive global cloud footprint with the availability of Forcepoint Web Security across 160 public points of presence (PoPs) in 128 countries, representing more than 65% total global presence.

This PoP expansion brings Forcepoint services to virtually anywhere in the world while delivering optimal security and productivity enhancing capabilities including low latency, data sovereignt  and content localization, according to the company.

The expansion will allow enterprises and government agencies to securely access web-based content whether they are in the office, at a remote location or on the road.

“In a cloud-first world, people are the new perimeter,” said Matthew Moynahan, Forcepoint‘s CEO. “That’s why we’re starting to see legacy security players still embracing an infrastructure-centric approach increasingly become irrelevant. If the security industry does not transform from a world of point products to cloud-native capabilities, it, too, will have this $100 trillion global digital transformation business opportunity pass it by. Utilizing modern cybersecurity from enterprise-class, cloud-first companies such as Forcepoint can in fact help enterprises leapfrog the competition by accelerating their digital transformation efforts with dynamic and proactive security designed for today’s modern threat landscape.”