Cybersecurity: Safeguarding against growing threats
by Brock Huffstutler
In 2021, the average ransom demanded by cybercriminals increased by 20 percent to $1.8 million. Data breaches in 2021 outpaced those in the previous year by 68 percent, while breaches involving personally identifiable information like Social Security numbers increased from 80 to 83 percent. With occurrences like these, business owners need to have awareness of new and emerging threats in the cyber landscape to determine where their focus and spend should be to keep their operations as protected as possible.
“We are seeing the same [types of cyber-attacks] rehashed, but the attack vectors are more advanced and being used in a more skilled way now than ever before,” says Bridget Wilson, chief information security officer, Network Coverage, Danvers, Mass., a firm that provides information technology solutions and managed cybersecurity services.
Wilson describes some of the most dangerous cyber threats businesses face today and offers some tips on protecting against them.
Threat: “Big vendors like Microsoft, hardware vendors like Lenovo or Dell and firewall vendors — all of those folks report vulnerabilities [in their operating systems] pretty soon after discovery. That’s great because it allows companies, clients and end users to be aware and to patch those vulnerabilities,” Wilson says. The threat, she adds, lies in the fact that “with this, these vulnerabilities are being made available on the internet and on the news. They are widely disclosed, so now you have attackers who might want to take advantage. So, not only are we, as the consumer, finding out about things right away, but attackers are even more aware as well. I’m sure that in 2023 that will continue, and we’ll see even more disclosures than previous years.”
- Protection tip: Wilson says the key is making sure your enterprise actively patches against vulnerabilities. “Ideally, you’re going to want to have an automated patch schedule in place,” she advises. “I recommend that for servers, you want to apply critical updates and reboot them at least once a month. For workstations, I usually say once a week. For example, you could make all staff aware that on Sunday nights, you are going to apply updates and reboot their machines.”
Phishing scams via text message
Phishing scams — instances where a bad actor sends a fraudulent message designed to trick a person into revealing sensitive information — are among the most common types of cyberattacks and are only increasing in volume. While phishing often occurs via email, Wilson says text messaging is a growing avenue of opportunity for attackers who are using some very specific types of bait:
Threat: Gift card lures. “’I just got a text from the CEO of my company; he is in a meeting and is really busy but needs me to buy three $500 Amazon gift cards from CVS and send them to him.’ Obviously, we know that doesn’t happen in real life, but a lot of people don’t, and they think they need to do this urgently,” Wilson offers as an example. “They are inclined to just do it without asking questions given the expressed urgency and the fact that a company exec appears to be making the request. That scam has been around for quite a while but it’s more rampant now than ever.”
- Protection tip: Wilson says being careful about the contact information you post on social media is crucial here. “I usually recommend that our employees don’t post their cell phone numbers on any social media,” she says. “LinkedIn is a big one because people think that because it is business focused, it’s safe to have your phone number there so recruiters can call you. But potential threat actors are on there too and all of that is public information. I would also advise against listing a cell phone in your email signature, just to try to reduce the number of text message scams that you’re receiving.”
Threat: Account compromise fakes. “I personally get fake Amazon texts all the time saying, ‘Your account has been accessed from an IP address in California — was this you?’ No, I’m in Massachusetts. So, I’m inclined to think, ‘Oh, I’ve got to jump in and change my password. Let me just click the link in this text.’ And of course, if I plug a password in or if I confirm my account, my account has been compromised at that point. That is another big thing we are seeing more and more of,” Wilson says.
- Protection tip: Do not click on links of this nature in unsolicited texts. If you are concerned about an account being exposed or compromised, login directly to the website to check for alerts, or call the company using the number published on their website.
Wire fraud and business email compromises
Threat: Wire fraud/business e-mail compromise is still big business among cyber attackers, and their methods are getting craftier every day, according to Wilson. “When a mailbox is compromised, the attacker isn’t necessarily sending out spam or doing anything that is super obvious,” she says. “They will lie in wait and gather information around somebody who is involved in invoicing or billing. An equipment rental business is a good example, because there tends to be a lot of correspondence around billing that happens via plain text email. The attacker might figure out who owes who what sum of money and then interject themselves into the email thread pretending to be an individual on one side or the other. They’ll say, ‘By the way, our payment address has changed. Here is the new place to submit your ACH payment or mail your check.’ And that payment is sent out to the new address. The person who has been compromised is none the wiser. If you don’t have cybersecurity insurance and you don’t figure it out within 72 hours, a lot of times you cannot get that money back or reverse that payment. That is wire fraud.”
- Protection tip: “I have been advising people — especially if you are in accounts payable or accounts receivable — to put a tag line in your email signature field in big letters saying something like: ‘Never trust payment information updates sent via email; we require confirmation over the phone for any changes to payment accounts.’ And have that be a policy that staff is aware of and has to adhere to, so they don’t make changes on the fly,” Wilson says.
Wilson says the No. 1 proactive step a business owner can take to help prevent cyberattacks is to routinely educate staff on the threats.
“The best thing that you can do is have a staff who is aware of all of this, is constantly reminded and goes through cybersecurity awareness training,” she says. “You want to get the wheels spinning and get people to stop and think before they click on the link. The way attackers get in the door is by catching an employee just not paying attention. Their guard isn’t up and one ‘oops’ click later, and the attacker is in.”
RentalU, the American Rental Association’s (ARA) online education platform, offers several cybersecurity awareness training videos. Click here to launch RentalU and then begin your search for cybersecurity resources by typing ‘cyber’ in the Search field.
Sources: Coalition; National Association of Insurance Commissioners