Cybersecurity Risks for Business – A Primer on Prevention
As technology evolves, companies are finding ways to become more nimble and conduct business more efficiently — over remote networks, email on handheld devices, the cloud, and on cellphones. Yet, as technology advances, so too does cybercrime, with so-called “bad actors” finding new ways to strike while also stepping up their attacks in both frequency and severity.
For businesses, the fallout is costly, resulting not only in millions of dollars lost in direct costs, but also in expensive post-breach indirect costs — all the while damaging companies’ reputations and even potentially exposing their clients’ and employees’ sensitive data and information.
With cybercrime showing no signs of ebbing, and attacks growing more sophisticated, here are five areas in which companies are especially vulnerable, as well as recommendations on how they can protect themselves.
Business Email Compromise
Otherwise known as BEC, the term generally refers to a scam in which unauthorized access to an email account is obtained in order to fraudulently transfer funds. The FBI estimates that last year alone BECs accounted for $2.1 billion in losses — a likely low figure since that total only includes cases reported to the agency. In addition to direct losses stemming from the fraudulent transfer of funds, indirect costs associated with BECs can include necessary forensic investigations, technical remediation, fall-out litigation, and regulatory compliance. Importantly, these attacks can also seriously damage a company’s reputation in the event that the law requires client notification, or if the bad actors publicize their access. As the government focuses on other more headline-grabbing cybercrimes, criminals will continue to turn to BECs including, perhaps, even using “deep-fake” technology to further perpetuate their scams.
Recommendation — Ensure that you and your employees understand what warning signs to look for in a BEC schemer, and that there are established safeguards implemented anytime a transfer of money is requested. Also, ensure that multi-factor authentication is used by all employees and that IT professionals conduct regular software and email-rule audits.
Ransomware and RaaS
Ransomware generally refers to malware that is surreptitiously installed on a victim’s computer, locking it until a ransom is paid. These attacks can shut down entire networks and completely block a company from conducting its business. Like BECs, these attacks are extremely costly and there are few indications to believe they will seriously slowdown in 2023. One reason for this is the proliferation of “ransomware as a service” or RaaS, which enables people with little technological expertise to launch attacks through the purchase or lease of ready-to-use ransomware. Making matters worse, these attacks are often coupled with extortion demands, such as publishing a company’s sensitive data, to forcing them to pay ransoms quicker.
Recommendation — Develop and implement a data-security plan that forces you to think about how your data is stored, who has access to it, what the risks are, and what to do in the event of a cyber-incident. Make sure you have offline, physical back-ups of your data, and implement enterprise-wide multifactor authentication.
Data Exfiltration attacks are exactly what they sound like: the theft of important business data from a company’s network. That includes trade secrets, intellectual property, client information, and even employees’ personal information. Carried out through either the use of phishing emails, stolen login credentials or the exploitation of software vulnerabilities, criminals use their unauthorized access to steal valuable corporate data to both sell it and/or extort payment. The financial sector, legal profession, manufacturing, IT services, consultancy groups and engineering firms are all at risk. Unfortunately, growing targets include state and local organizations, such as health-care providers, school districts, and government agencies.
Recommendation — As always, the best way to guard against such an attack is to educate your employees about common attack schemes, as well as undertaking regular patching of identified software vulnerabilities, encrypting your most sensitive data both when it’s at rest and when it’s being transmitted, and implementing multi-factor authentication.
More and more companies have turned to cloud-based services and technologies to facilitate their everyday business, especially in wake of the Covid-19 pandemic. However, the pace of that expansion has often exceeded measures to ensure their cloud-based data stays secure. Threats are rampant, especially since companies often do not manage the configuration of these cloud services with their data, leading to costly misconfigurations that can offer criminals an attractive point of attack. Risks also arise when cloud data is either not encrypted and/or its users are not authenticated.
Recommendation — One way to combat a cloud attack is to adopt a “zero-trust” model, in which all end-users need to be authenticated and authorized before they are allowed access to cloud-based data and applications. Also, ensure your employees’ online capabilities are limited only to those purposes needed to accomplish their job.
The increasing use of cellphones for business purposes, including to authenticate remote access sessions or to otherwise access sensitive business data and information, has provided criminals with a fertile ground for attack. Hackers can install what is known as spyware, which is software that collects data and information inputted by the cellphone user without their knowledge. Bad actors can disguise this malware as legitimate apps, or even by installing malicious code in legitimate apps. This concern — which is particularly problematic within the Android universe — can also lead to the installation of malware that steals banking information, or simply run surreptitious advertisements that generate income for its owners
Recommendation — When it comes to cellphones, users should only download apps from trusted, or well-known sources. And never fall for an app that promises a payout or prizes.
As with all security, preparation is key, because when it comes to protecting your company against a cyberattack, it’s not a question of “if,” but “when.”
James Vinocur, a partner at Goldberg Segalla, has deep experience in the areas of cybersecurity, data privacy litigation, and institutional and corporate cyber intrusions. Prior to joining the firm, he spent 12 years with the New York County District Attorney’s Office where he served as deputy chief of the Cybercrimes and Identity Theft Bureau — a position in which he investigated domestic and international money laundering, financial crimes, corporate theft, and cyberattacks.