Hacking and cybercrime are in the news daily, and everyone has likely been impacted by it in some way from the numerous high profile breaches of the companies that store our data. The increase of these threats has awakened us to the reality that we need a level of vigilance that offers better protection.
According to the Identity Theft Resource Center, data breaches increased 40 percent in 2016, with a total of 1,093 reported breaches. This trend continued in 2017, with over 1,120 cases reported by October. Ransomware was the most common threat. Global ransomware costs due to business productivity impact and mitigation are estimated to have exceeded $5 billion in 2017. An additional $2 billion was paid to hackers in ransom over that same time period.
The good news? Ransomware is down 70 percent over the past year due to new countermeasures in antivirus software, firewalls, and other mechanisms to thwart the attacks.
The bad news? These changes didn’t put the cybercriminals out of business. Instead, it caused them to adapt to other methods that eliminate the need for viruses and malware that can be detected by security software. Their newest method is known as Business Email Compromise (BEC), and it usually starts one of five ways:
So far in 2018, phishing emails are the most prevalent. These emails appear to come from legitimate contacts with a request to login to a malicious website disguised as a trusted website. Because this method does not require a virus or malware that can be detected by antivirus software, it allows hackers to bypass many of the most common small business security measures.
With the stolen password, the criminals will login to the email account (as well as any others servers, websites, or services on the network that use the same credentials) and quickly set up rules to forward any new incoming messages to an external account and hide incoming messages of replies sent out of the account by the hacker. This ensures they still have access to the data even after a password reset. From there they will go through the email messages looking for sensitive information that can be sold in online black markets.
The criminals will also search for messages related to financial transactions conducted with banks, vendors, or clients to either inject themselves into the conversation to redirect payment locations or to mimic those messages to instigate new transactions to their own accounts. After they have obtained the information they’re looking for, they will send a copy of their phishing email to all of the contacts in your address book in the attempt to snare them in the same way you were compromised.
If and when you do learn of the problem, your system has already been breached and the damages are done. Changing your password and conducting a virus scan on your PC at this point, while advisable, doesn’t solve the problem of ensuring the hacker didn’t get deeper into your network. Further, it’s possible the hacker had been in the system for days, weeks, or even months. At this point, your IT team, along with external security specialist vendors and law enforcement, should be reviewing network and server logs to determine when the breach occurred, which systems were accessed, and what data was possibly compromised.
When you receive a phishing email from a business contact, you need to assume they have been breached and any of your sensitive data stored in their mailbox has been compromised. Request a post-breach analysis from them to ensure they are following breach investigation and reporting guidelines and requirements.
If the information you send and receive would cause you concern if breached in a phishing scam, it probably shouldn’t be in the email system. Most email messages you send and receive are not encrypted fully end to end (if at all) and can be intercepted in transit without ever needing to breach your account. Ensure that you are using trusted secure and encrypted web portals for any information that is sensitive. Additionally, be sure to use unique passwords on each system you use as hackers may attempt your same email address and password across many popular e-commerce and banking websites. If a system allows you to use two-factor authentication (enter a one-time code from a text message in addition to your password), you should use it.
With cyber-attacks posing such a prominent threat to businesses, it is essential to create a plan to deal with the problem. Implementing and adhering to basic preventive and safety procedures will help protect your company from cyber threats.
Following are suggestions from a Federal Communications Commission (FCC) roundtable and the DHS’s Stop.Think.Connect. program for easily implemented security procedures to help ward off cybercriminals.
Security Tips for Your Company
Security Tips for Employees
Don’t Let it Happen to Your Company
According to the DHS, 96 percent of cybersecurity breaches could have been avoided with simple or intermediate controls. Strengthening passwords, installing anti-virus software, and not opening suspicious emails and links are the first steps toward cybersecurity. The FCC provides a tool to help small businesses create a cybersecurity plan.
A data breach could cripple your small business, costing you thousands or millions of dollars in lost revenue, sales, damages and reputation. Contact your ABIS Account Executive today to ensure you have the proper coverage to protect your company against losses from cyber-attacks.