Cybercrime remains a threat to companies of all sizes. Lack of employee training and cybersecurity tools are among some of the biggest threats.
“As data breach lawsuits have shown, many organizations lack foundational security programs,” said Don Pecha, senior director of information security at FNTS. “Companies are still struggling to properly tune their security tools and reduce the false threats their teams are mired answering.”
Evolved Attacks
The facts about cybersecurity are everywhere and paint a consistently sobering picture of how criminals continue to work their way into systems and networks. As noted by the 2022 Data Breach Investigations Report, published annually by Verizon, cybercriminals continue to morph from the stereotypical lone hacker in a basement to more sophisticated criminal enterprises.
For instance, the report states the median number of records breached decreased from 385,000 in 2008 to 80,000 in 2022, not because companies were better at thwarting the attempts, but because criminals became better at targeting what they could best monetize.
In North America alone, the report stated, 90% of attacks were from external sources and 96% were launched for financial gain.
What’s more, the bulk of these attacks follow the same tried-and-true criminal devices, albeit much more sophisticated than in previous years. Ransomware attacks are up 13% in 2022, a bigger increase than the previous five years combined.
“The likelihood of being affected by ransomware or malware is high,” said Denise Mainquist, managing director with ITPAC Consulting. “Phishing works, so that is still happening often. The strategies and content of emails is getting trickier, but the general approach still works.”
As with the threats themselves, an analysis of companies’ weak points reveals some familiar culprits when it comes to gaps in any cybersecurity system, starting with company employees and work partners. Verizon reports 82% of breaches can be attributed to human error, from weak or shared passwords to clicking on an infected attachment.
As Pecha noted, this isn’t always mere carelessness, but a result of attacks becoming much more technologically advanced.
“Impact today is more subtle and harder to address,” he said. “Artificial intelligence is driving better phishing attacks. AI is also driving more automated attacks, where the AI or an autonomous hive of bots attack a network and constantly record how firewalls, intrusion prevention, web-app firewalls and antivirus respond. They leave no record; they report and delete themselves. The hive learns and then can inform the owner who can leverage an attack they know will work and bypass all security.”
A Wide Net
The lingering effects of the pandemic haven’t helped the situation. As more and more workers spend time in remote work environments, the potential exposure to cybercriminals grows exponentially.
“When COVID hit, from a pure security perspective, one of the biggest vulnerabilities that got introduced or became exaggerated and significantly larger was there was a lot more work being done from personal devices, be it phones or computers,” said Chris Vilim, president of CoreTech. “People went home, and the company gave their employees access to their desk at the office through their PC at home.
“It was done because it needed to be done, literally tomorrow, with the expectation that this was going to be a short-term kind of thing. Once it became evident that this wasn’t just going to be a few weeks and we weren’t sure if it would become a couple months or years, and now in some cases more permanent, we’ve had to go back through and businesses have had to reevaluate that and put in the appropriate security protocols and products that are necessary.”
Even as the cybersecurity industry itself has become more sophisticated in its weapons and tactics against bad actors, it too faces challenges, especially when it comes to landing sufficient labor to serve existing customers and accommodate growth.
“The state of the cybersecurity industry is growing exponentially right now,” said Puja Kandel, principal owner of CMIT Solutions of West Omaha. “With reports of breaches happening regularly, the industry is making gains in heading off bad operators, helping companies become wiser and more stringent in their training and accountability of their workers to be safer online.
“At the same time, ISACA’s State of Cybersecurity 2022 report found that 60% of companies were having difficulty retaining their cybersecurity professionals in 2021, a seven-point jump from 2020.”
‘Everyone’s Responsibility’
In Kandel’s words, this situation has driven home the “security is everybody’s responsibility” mantra for many companies.
“Security leaders must get innovative to address this challenge and also make sure all users understand security policies and risks,” she said. “Employees should be cautious in clicking links or giving sensitive information via emails, even if it appears legitimate.
“Companies should have regular training for employees on how to spot social engineering attacks and strategies. It is also essential for businesses to have guidelines in place when working with sensitive data. Businesses should make sure to keep all their computer software and hardware updated, because outdated software, drivers and other plugins are common security vulnerabilities.”
The impact of this new attention to security is immediately apparent across various industries. Passwords are a key cog in the cybersecurity wheel and more companies are taking steps to beef up login credentials with more sophisticated software that detects recycled or weak passwords and executes mandated password changes at the appropriate time intervals.
Vilim said passwords have always been the most basic key to solid cybersecurity, surprisingly effective yet routinely given short shrift by users.
“Good passwords are the No. 1 fundamental thing that we’ve talked about for 15 years when it comes to IT security,” he said. “If there’s one thing you need to do, it’s going in and making sure email accounts have multifactor authentication enabled. That’s going to be the easiest, cheapest, quickest way to head off threats.
“The second part would be making sure passwords are unique across all of your systems. Don’t reuse passwords. You don’t want a shopping site somewhere to get compromised and now the hacker has the password you used and it’s the same one you have to get into your bank account.”
Becoming Mandatory
As Vilim referenced, multifactor authentication is one of the simplest and more effective means of keeping the bad actors out. Companies are slowly adopting this as well as taking a harder look at who needs to have access to what in the first place.
“Cyber insurance providers are helping to push businesses toward better security controls,” Mainquist said. “All the insurance providers I am aware of now require multi-factor authentication for all remote access. If you don’t have it, you won’t get a policy. I am certain there will be a push toward multifactor authentication being implemented in all situations before long. Username and password alone are not secure.
“Many organizations have gone to using primarily zero-clients, which allows for central management of all machines and fewer patching issues. It creates a lower likelihood malware can be launched by an unsuspecting user, since activating those executables sometimes requires administrator privileges.”
The Big Three: The Most Prominent Cyber Threats
Local cybersecurity experts said the methods hackers are using haven’t changed much, but they have become more sophisticated. The following represent the most prevalent cyber threats going today, how they work and how to combat them.
1. PHISHING
What it is: Phishing is how criminals seek to gain access to a system, typically when an unsuspecting user clicks on an attachment, opens a file or responds to an offer they think is legitimate.
What it does: The tactic is responsible for defrauding thousands of people every year as well as stealing information or holding system information hostage. Newer versions can even co-opt email accounts, sending phony billing instructions from legitimate email addresses.
What to do about it: Educate employees to carefully consider the validity of any email with an attachment. Avoid popups or messages that urge for quick action, especially for offers that look too good to be true.
2. MALWARE
What it is: Malware is short for “malicious software” and that pretty much sums it up, software that once transplanted wreaks havoc on your machine or your entire network.
What it does: Malware creates a host of problems through computer viruses and spyware which allows outside intruders to derail your system or gain access to sensitive information. A specific species of malware – ransomware – freezes the machine and its data contents, forcing the user to pay a ransom to get it back.
What to do about it: There’s no one-size-fits-all for remediating malware, but a common best practice is using up-to-date antivirus programs that scan the computer for malware and deletes any it finds. The savvier user can also perform this function manually.
3. PASSWORD ISSUE
What it is: Passwords are supposed to keep the bad guys out. Unfortunately, most users fall short of creating effective passwords, using something an experienced hacker can easily decipher.
What it does: Lax passwords give immediate, unfettered access to all information and data on the machine. Worse, many of us use the same password for multiple applications – in the name of easy-to-remember – which means if a criminal gets your computer password, they also now have your banking password.
What to do about it: Create original passwords combining multiple letters, numerals and symbols. Change passwords often and don’t share passwords among your various logins. Finally, activate multifactor authentication, which is a secondary security step performed at log-in such as receiving a passcode on your phone.
Sources: phishing.org, mcafee.com, cisco.com, microsoft.com
Focus Section Advertisers:
