Cyber threats are becoming more sophisticated every day, so businesses must be continually on guard against this menace.
Phishing emails that ask users for their credentials, money, or other items are the biggest cyber threats to businesses, according to Jessica Murray, IT account manager at Lutz.
“[Phishing emails] seem to be the most lucrative for hackers,” she said. “That one’s grown the most over the past couple of years, especially since the pandemic started.”
Phishing emails are the biggest conduit for malicious code to get into your system, CoreTech President Christopher Vilim agreed.
“[Bad actors] send a blast email or even target your group or industry,” he said. “The second most prevalent [attack] is email accounts getting compromised. If your account isn’t secure, they can gain access to the account, impersonate you, try to manipulate funds, and do a lot of things.”
Cybersecurity is a constant game of one-upmanship. Cyber thieves are always looking for new ways to access a firm’s system.
“It’s almost a daily evolution in the way they do even phishing attacks, how they customize that so it looks like [the email] is from someone you know so they can get you to do something,” Vilim said. “Their techniques are becoming more sophisticated.”
Train your team
Firms need to have good controls on their financial systems — such as requiring approval from two people before writing a check or executing a transaction — to ensure that the transaction is valid.
The other big threat is ransomware, which will encrypt all the data on a firm’s computer as well as its network.
“They can get at your backups, leaving you without anything unless you’re able to restore from somewhere or pay the guys off, which you don’t want to do,” Murray said.
Firms should have multi-factor authentication on email and most of their online accounts, so if a bad actor gets a password they can’t access the account, Vilim said. For instance, they wouldn’t have your phone, which has an app with a button on it that allows you to log into the bank site.
“Make sure you’re training your people,” Vilim said. “If [the bad actor] gets through your filters and your technology, you’re relying on your people to decide whether to click on a link.”
These cybercriminals take great pains to make their phishing emails look as if they’re coming from a legitimate source, someone the employee knows, or a company with which the firm does business. For example, a hacker masquerading as a manager may ask an employee to make a financial transaction or to buy $1,500 worth of Apple gift cards and mail them to a particular address.
Training is the first line of defense.
“You can buy the most sophisticated technology, but it’s really going to come down to the end-user and whether or not they can recognize a phishing email because if someone gives away their credentials there’s not much they can do about it,” Murray said. “The bad guys have their information to get in [to the network].”
Firms should make sure multi-facet authentication is turned on for virtual private networks [VPN], emails, and all accounts.
“[Businesses] should consult and partner with a cybersecurity expert,” said Puja Kandel, principal owner of CMIT in Omaha. “They should also partner with a managed IT service provider company like us and have us maintain the IT infrastructure. If they decide to
do it on their own then they should hire a dedicated IT employee and install antivirus and other key software and update the operating system patches on a regular basis.”
Kandel said small businesses can take several steps to shore up their security. They should provide firewall security for their internet connection, secure their Wi-Fi networks, train employees on how to handle and protect customer information and other vital data by using strong passwords, install antivirus and other key software and operating system patches updates, create a mobile device action plan, regularly backup the firm’s important data and information, control physical access to computers, and create user accounts for each employee.
“Businesses should practice cybersecurity guidelines and invest and consider implementation of multi- factor authentication such as password protection, biometric and/or facial authentication to avoid all these security problems,” Kandel said.
Typically, firms should do a large online training course annually with refreshers quarterly. “Have some tracker to make sure everyone does it,” Vilim said. “You need that quarterly training to keep it at the top of everyone’s mind. I highly recommend tests for end users. A couple of times each month we’ll send out a crafted email to the audience and try to get them to act. This has a two-fold purpose. One, if anyone clicks on it and follows the directions, we know they need more training and two, the staff knows only that [these emails] will come periodically so they will be hypervigilant about what they click on.”
Vilim said cybersecurity is becoming tough for businesses to do at a very high level without an IT person or consultant.
“Make sure you’ve turned on as much security on your systems as possible, and as quickly as you can make room in your budget to get some assistance with security,” he said.
The trend toward businesses buying cybersecurity insurance has picked up over the past 12 months, but requirements are becoming stricter. Cyber insurance companies require clients to have more security in place and offer a specified amount of training. Companies that don’t meet those requirements could be charged significantly higher premiums or denied coverage altogether.
“Make sure you answer questions on the application accurately,” Vilim said. “If [the insurance company] finds out you misrepresented something, even if it’s an innocent oversight, they might deny the claim.”
The bottom line is that businesses need to plan for cybersecurity in their budgets.
“It’s getting worse, not better,” Vilim said. “Your IT budget needs to increase because you’ve got lots of factors in place. The cost of technology is increasing with supply chain and other issues, and the cost of cybersecurity is going up.”