“Organizations with any strategically useful information, whether in the public or the private sector, must prepare themselves to deal with highly sophisticated phishing, infiltration, and data leaking campaigns,” says Adam Vincent, CEO of the cybersecurity company ThreatConnect, who was quoted by CSO.com in January 2017.
Cybersecurity is an issue affecting companies around the world. On average, large companies experience around 100 attacks a year, with about a third ending in “success” for the cybercriminal, according to the Institute for Fraud Prevention. And large companies aren’t the only targets. Cybercriminals also pursue smaller businesses, viewing them as more vulnerable and less likely to be able to thwart malicious attacks.
The takeaway: Cybersecurity threats aren’t going away and will likely only increase in sophistication. Your company will almost certainly be a target in one way or another.
Because of the gravity of many highly publicized attacks and the vast number of threats cyberattacks can pose, it’s easy for managers—particularly those in smaller organizations that have limited time and resources—to feel overwhelmed by the possibilities. There are simple steps, however, that even small companies can take to protect themselves. Although these measures may not safeguard against all cybersecurity breaches, many are relatively inexpensive, are easy to implement, and reduce risk significantly.
IDENTIFY AND ASSESS YOUR DATA
It’s critical for organizations to understand that the risk of cybertheft is proportional to the value of data itself. Attaching a dollar value to data will uncover a company’s cybersecurity risks, which means that an organization should first identify data used or stored within the company that might be of value in order to develop a strategy to protect against cyberthreats. This can be accomplished by considering who could possibly benefit by obtaining the data and how they would benefit. Account numbers, customer and vendor contact information, product lists, proprietary processes, sensitive employee information, email addresses—these are some examples of the potentially valuable information inside organizations.
Personal information is especially valuable. The 2017 Identity Fraud Study from Javelin Strategy & Research, a California-based advisory firm, shows that 15.4 million U.S. consumers were attacked and more than $16 billion in losses were incurred during 2016 as a result of identity fraud. (See http://bit.ly/2hNVvHU.) Mortgage lenders, apartment rental services, and other real estate operations maintain databases that contain consumers’ complete personal identifiers as well as lengthy financial, employment, and prior residence information. This type of data can readily be sold and resold to identity theft groups around the world. What’s more, these thieves frequently store the data for years before using it to generate cash, complicating detection. By sitting on the stolen data before using it, the thieves can reduce the chances that the theft is linked to them.
After your company has identified its valuable data and assessed its cybersecurity risks, it’s time to consider avenues of attack. Threats to cybersecurity can be posed by current or former employees and also by persons outside the company. Although the highly publicized cyberattacks on companies such as Equifax, Target, Kmart, and Verizon demonstrate the gravity of external threats, for many organizations the biggest threats to cybersecurity often lie inside or just outside the firm. With that in mind, let’s review some common internal and external threats, as well as tips to avoid becoming an easy target.
DEALING WITH INTERNAL THREATS
Here’s something troubling to ponder before your next data-security meeting: Internal data theft isn’t a faceless crime. In fact, the perpetrator is probably already on your payroll!
Take this hypothetical scenario: Cheryl, CEO of a large national company, shows up for another typical day at the office only to find her company’s secure executive email system compromised. Sensitive financial information and corporate strategic planning documents have been taken. The company brings in a forensic cybersecurity firm to sort out the facts, make sure all unauthorized access was closed out, and ensure the compromised programs were identified and fixed.
Then the next big surprise: The culprit wasn’t a foreign hacking ring. It wasn’t even an outsider. One of Cheryl’s employees, Mitch, was apparently disgruntled and admitted to stealing the information in an attempt to harm morale at the company and embarrass the CEO and general counsel. Mitch was immediately fired. But there’s more: An accomplice, still at the company, created a backdoor portal allowing Mitch to regain entry a month after the company got the “all clear” from the cybersecurity firm. Fortunately, Cheryl’s team had put 24/7 monitoring programs in place that picked up on Mitch’s middle-of-the-night intrusion, stopping it immediately. Cheryl’s team also identified the accomplice, and both he and Mitch were arrested and charged.
According to cybersecurity experts, there are likely at least 80 million internal cybersecurity attacks a year—and that number is probably much higher because many internal attacks go unreported. While external cyberattacks often garner more attention, the greatest threat is usually from inside your own firm, as the example involving Cheryl illustrates. These internal threats can be intentional, but they may also result from inadvertent actions, such as employees choosing an easy-to-guess password, responding to a suspicious email, or using their personal devices from a public Wi-Fi hotspot to access the company network. Smart internal cybersecurity thieves will patiently watch for opportunities that careless or sloppy employees present to them.
Clearly, some internal thefts or data corruption acts are malicious and are carried out to embarrass or harm the employer. This means that Human Resources departments must be part of an overall defensive plan because disgruntled employees typically signal their unhappiness to others.
Cyberattacks also are often carried out for financial gain. Consequently, since people typically steal money to spend money, lifestyle anomalies will commonly exist around financially motivated attacks. If an employee’s lifestyle is incongruent with his or her pay—Tom shows up to work one morning in a shiny new Mercedes instead of his battered old Hyundai—you may have reason to be skeptical.
COUNTERING THE RISK
One of the greatest challenges with increasing security is to be able to do so without creating counterproductive costs or losses in productivity. Creating a restrictive environment designed to lower risk can inadvertently reduce efficiency and lead to a cumbersome workplace. Nevertheless, organizations can institute some basic protocols without jeopardizing productivity. Here are some suggestions:
- Create an “anti-cybersecurity fraud” culture from the top down. Employees can help protect the organization if they’re made aware of the risks of cyberattacks and provided with safe channels through which they can report suspected threats. Give customers and vendors a safe reporting mechanism as well.
- Implement mandatory training and education programs to keep cybersecurity issues top of mind. Employees should view these programs as continuing professional education necessary to maintain their positions or to be considered for advancement.
- Require passwords to access valuable data, and set them to expire after a predetermined amount of time.
- Monitor secure-space entry codes closely, and change them frequently. Regular testing of security protocol procedures can help identify strengths and weaknesses in the system.
- Conduct background checks on all new employees and on all employees newly transferred to IT functions. Verification of education and work experience, as well as a criminal background check, should be part of a comprehensive security program.
- Establish processes to reinvestigate employee backgrounds periodically because life situations and levels of job satisfaction can change.
- Evaluate the security protocol measures in place at organizations to which your company outsources prior to contracting with them. IT functions that are outsourced or supported domestically or internationally should be held to standards similar to those in place internally.
- Limit employees’ access to only data that’s necessary for their jobs. Ensure, too, that former employees can’t access data after they leave the organization.
- Establish secure data-destruction processes for computer hardware and peripheral equipment. Install tracking and remote wiping programs on all electronic devices, such as laptops, tablets, and cell phones.
STARING DOWN EXTERNAL THREATS
Here’s another common scenario in the world of cyberattacks: Sam, who’s responsible for all of your company’s wire transfers, receives an email that appears to be from the CFO to go ahead and immediately wire the funds for an acquisition the company is closing on. The email looks normal, using language typical for the CFO, and includes a series of exchanges between the CFO and CEO on closing the deal. It also contains information on where to wire the funds and requests confirmation after the wire is sent. Sam quickly wires the funds, scans a copy of the wire, and sends a separate email to the CFO with the scanned copy. Minutes later, however, he receives a second email—again, apparently from the CFO—asking why he hasn’t sent confirmation of the wire yet.
Sam picks up the phone and calls the CFO, who has no idea what Sam is talking about. In a panic, Sam hangs up, calls the bank, and stops the wire. Luckily, it was halted in time. But not all companies are so fortunate. Sam went back to the original email and noticed one letter was different from the CFO’s real email address. He was a victim of what’s known as the business email compromise (BEC) scam.
Though internal threats may be the most common threat for organizations, external threats are still very common and can cost companies a bundle. Here are three scams that have been prevalent recently, plus some ways to protect your organization:
Business email compromise. One of the most common online scams is the BEC scam, with global damages over the past few years exceeding $5 billion, according to one estimate (see http://bit.ly/2xPHwvZ). The scheme can take different forms, but it often involves the cybercriminal sending an email that looks like it came from an executive in the company (the majority are from the CEO) or whoever is responsible for wiring money. The email is written in the executive’s typical style and form so it appears just like an email he or she would normally send, but the email address will usually have a slight difference. For example, it might come from Joe Smith (joe.srnith@company.com) instead of Joe Smith (joe.smith@company.com). (In the first address, notice the “r” and “n” that slyly form the “m” in Smith.) The crook requests an urgent wire transfer with instructions to send the funds directly to a financial institution where a fraudulent account has been created.
Another common version of the BEC scam is done through vendor invoices. The cybercriminal shadows employee email accounts and, just like with the CEO version of the attack, sends vendor invoices similar to the invoices the employee normally receives. The difference—and a huge red flag in these cases—is that the cybercriminal also sends new bank account information for all future payments.
It may sound difficult to catch a BEC scam, but there are a few proven ways to protect yourself. First, scroll over the email address to make sure any emails coming from executives are actually sent from their email address. Second, require that the person wiring money send a separate email to the executive “signing off” on wire transfers to ensure the approval is legitimate—never reply to the email chain received. Alternatively, require in-person or telephone confirmation. Finally, if a vendor sends new bank account information, verify this by phone as well.
Phishing. Phishing schemes attempt to trick you into (1) sharing confidential or sensitive information (for example, usernames and passwords, confidential information regarding personnel, or credit card or bank account information) or (2) clicking on a malicious link disguised as coming from a credible source. A common phishing attempt involves the cybercriminal sending an email that appears to come from a legitimate and trusted organization, asking the person to click on a link and “verify” information. The link itself may be a virus. It also may take the individual to a spoofed website to enter the information the criminal is after.
Phishing schemes have become more and more sophisticated, so often the emails and the spoofed websites appear at first glance to have come from legitimate companies. They may address the email from an employee who actually works for the real company, use a URL that’s close to the real one, and include logos and colors of the organization they’re trying to spoof.
Ransomware. Ransomware is a type of malware that blocks or limits users from accessing their systems and/or files unless a ransom is paid. The cybercriminal gains access to the server and locks the user out of the operating system or encrypts the data, only providing access or a “decryption key” once a ransom is paid. The amount of the ransom varies, but it’s often significant yet affordable enough for the organization to avoid risking data loss or further disruption from attempts to recover or decrypt the data themselves. Still, payment of the ransom is no guarantee that the cybercriminals will actually provide the key to decrypt the data. In addition, some victims who have paid the demands have been targeted again or have been asked to give more money once they paid the initial ransom.
Of course, individuals have been the target of ransomware attacks, too. Here are three common ways that these attacks are being spread and activated:
- Spam emails lure the receiver into opening an attachment that’s infected.
- Spam emails provide a malicious link to a spoofed website where the receiver is to download an invoice or tracking information.
- A malicious website creates a back door on the victim’s PC using vulnerable or outdated software.
MORE TO THINK ABOUT
Now that you think you’ve got everything covered and you’re prepared for any kind of event, here are a few more things to think about:
Know what your insurance policy covers. Cybersecurity breaches can cause extensive damages and include more than just monetary theft. Understand what your company’s policy covers, and make sure the coverage is appropriate given what’s valuable and at risk in your company.
React quickly and efficiently. Make sure you have an action plan in place, with specific preset responsibilities and responses, in the event of a cyberattack. Report any cyberattack attempts to law enforcement. You can also file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at http://bit.ly/2yye8tf. The faster you react, the higher the chance of recovery if there’s a loss.
A strong response can serve as a deterrent. Prosecuting external cybercriminals can often be difficult, but it should be pursued whenever possible. When detected, internal cybertheft can be easier to prosecute. Law enforcement should be notified and legal action pursued when prosecuting authorities deem it appropriate. (You should also consult your organization’s legal and tax experts regarding the issuance of IRS Form 1099-MISC for the value of the stolen data.) Strong responses such as these can potentially deter other cybercriminals from targeting your organization.
KEEP YOUR EYE ON THE BALL!
As you can see, the cybersecurity threats that your company will face in the years to come are enormous. To protect itself, your organization should continue to monitor cybersecurity risks and continuously test controls targeted at detecting and preventing both internal and external threats. Because cybercrime is fueled by boundless creativity, companies should approach cybersecurity as a dynamic process, working closely with both their internal experts and with outside consultants when necessary. Controls should evolve in response to previously encountered threats and anticipated future risk.
Staying one step ahead of cybercriminals won’t be easy and will eat up more cash and resources than your organization would probably prefer to commit. But the alternative is one you won’t want to contemplate: losses of data and, possibly, revenue; disgruntled current or former employees who may weaken and/or sabotage your existing systems; and a potential public relations nightmare. By taking steps now to spot the warning signs and institute the tightest security measures possible, you can help your organization enjoy a brighter, less stressful future.
7 Top Cybersecurity Websites
- Federal Trade Commission (FTC), Start with Security: A Guide for Business http://bit.ly/2yrq2pa
- National Institute of Standards and Technology, Small Business Information Security: The Fundamentals http://bit.ly/2ySApDh
- Federal Communication Commission (FCC), Small Biz Cyber Planner 2.0 http://bit.ly/2hOnCqn
- FCC, Ten Cybersecurity Tips for Small Businesses http://bit.ly/2ikSz9s
- National Cyber Security Alliance, Train Your Employees http://bit.ly/2xQwUNq
- FTC, Data Breach Response: A Guide for Business http://bit.ly/2xOHSCR
- U.S. Department of Justice, Reporting Computer, Internet-related, or Intellectual Property Crime http://bit.ly/2gPTb3o
Further Reading
- Barry Nathan and Pem Smith, “Cybersecurity: Watch Out for Data Leaks!” Strategic Finance, January 2016, pp. 62-63.
- Kelley Zanfardino, “Risk Management: What You Don’t Know May Be Costing You!” Strategic Finance, June 2017, pp. 35-41.
- Celia Paulsen and Patricia Toth, Small Business Information Security: The Fundamentals, U.S. Department of Commerce, NIST, November 2016.
- David M. Upton and Sadie Creese, “The Danger from Within,” Harvard Business Review, September 2014, pp. 94-101.
- Tamlin Magee, “Cybersecurity Trends 2017: Malicious Machine Learning, State-sponsored Attacks, Ransomware and Malware,” CSO.com, January 3, 2017.
November 2017