By Nathaniel C. Gravel, CISA, CISM, CRISC
One can hardly avoid seeing a headline about another data breach, ransomware attack, phishing scam, or other illicit incident executed through the electronic web that connects us all. The convenience and efficiency of the internet and world wide web come with a steep price for those who are unprepared. Let’s look at the landscape we are facing when it comes to protecting the information that cyber thieves are desperate to obtain.
Experts say it is not a question of “if” your business will be victimized by cyber criminals, but “when” the attack will take place. A cyberattack occurs every 39 seconds, and six billion phishing attacks are expected to be launched in 2022 alone. Maddeningly, we are our own worst enemies: 95% of all cyber security breaches are caused by human error. An employee responds to a “spoofed” email message; an accounts payable clerk pays a fake invoice; or the business owner can’t resist clicking a suspicious link.
No business is immune, no business is too small, no business escapes being targeted. Half of all cyberattacks are aimed at small- and medium-sized businesses – 60% of which go out of business within six months of a cyber security breach. Yet 77% of businesses lack a formal incident response plan, and only 5% of most companies’ files are adequately protected against cyber intrusion.
These attacks are not coming from a lone hacker living in their parents’ basement. They are conducted by highly sophisticated criminal organizations using cutting-edge technologies to launch thousands of attacks every day. The odds are in their favor.
What is at risk from a cyberattack? That depends on the type of attack. At the very least your business is going to suffer a period of disruption that can range from being a nuisance to completely shutting you down. Here are the most common forms of attack.
- Phishing or Malicious Email – Nobody is immune from being “spoofed” by an email that looks legitimate but is designed to penetrate your company’s network. That’s why 95% of cyber penetration is made via email. Think you are too smart to be fooled? An estimated 30% of phishing emails are opened.
Cyber thieves have become experts at making emails appear to be from a colleague or friend, or company management, or a customer. They may include a link or attachment that looks innocent but surreptitiously plants malicious files into your system. There they may lay dormant for days, weeks, or months before being activated to access data, steal valuable information, or disrupt your communications.
- Data Compromise and Exfiltration – If a criminal organization penetrates your network and gains access to your files your risk is extremely high that personally identifiable information (PII) will be stolen. PII ranges from employees’ social security numbers, to customer credit card data, to vendor bank accounts used for ACH transfers. These credentials can appear on the “dark web” within hours of a breach, being bought and sold in batches. The information is exploited to make purchases, open new credit cards, file false tax returns – and any number of illegal and costly uses.
A data breach can be extremely costly for many reasons. For example, in most states the party holding the information – you – can be fined thousands of dollars per day, per data file until the breach is resolved. You will be required to formally notify all individuals whose data was potentially accessed and assist them in monitoring their credit reports to watch for suspicious activity. Perhaps most costly in the long term is the embarrassment your business will suffer through public exposure of the breach, which can permanently damage the trust in which you are held.
- Ransomware – Although ransomware attacks make for bold headlines, the ransoms themselves are seldom huge; the average ransom payment for an SMB is about $130,000. Cyber criminals know that they are much more likely to get paid if their demands are reasonable and affordable, and many businesses quietly pay the price. The real cost of a ransomware attack comes in the loss of access to your network and information. How many days can you survive without the use of your computers? How long will it take you to reconstruct any lost data? Now that you have been targeted, how much will you need to spend to secure against future attacks?
- Credential Theft and Account Takeover – As we continue to rely on web-based applications and cloud infrastructure to carry out operations and deliver services to customers, we become increasingly susceptible to credential theft and account compromise. Usernames and passwords to web-based applications are stolen daily and are used to take over your online accounts. With critical business applications like e-mail and accounting systems now residing in the cloud, credential theft and account takeover can have a detrimental impact on your organization’s reputation and financial position.
What can you do to protect your company or minimize the damage caused by a cyberattack? Start by assessing your vulnerabilities. Then create and implement a Written Information Security Plan (WISP) that includes steps to plug any gaps identified and weaknesses revealed. Sadly, the biggest organizational failure occurs when a business invests in developing a WISP but does not fully implement it.
While every business has unique needs, a WISP typically addresses the following:
- Designation of the employee or employees responsible for the security program
- Identification and assessment of security risks
- Policies for storage of data, as well as access and transportation of personal information
- Disciplinary measures imposed on WISP violators
- Limiting access by/to terminated employees
- Managing the security practices of third-party vendors and contractors
- Methods of restricting physical and digital access to records
- Monitoring and reviewing the scope and effectiveness of the WISP
- Documentation of data security incidents and responses
Some of the concrete actions that must be taken to support a WISP and protect your business against cyberattack include:
- Penetration testing – A penetration test can reveal whether your system has already been infiltrated and identify where gaps and potential weaknesses exist. It is among the first steps to take to begin the process of building a more effective cyber security defense. Penetration testing should be repeated on a regular basis to help ensure that your data remains secure.
- Employee training – Individuals are the weakest point of the defensive array against cyberattack. It only makes sense that educating, training and testing of employees is among the most important steps you can take to avoid becoming a victim. All employees – including ownership and management – should receive formal training on recognizing threats such as phishing emails and malware attachments. This cannot be a “one and done” session but must incorporate refresher training to address new threats and reinforce previous instruction. Cyber security training can be done online, and employee attendance should be documented to provide evidence of the company’s efforts.
- Simulated phishing – A key part of educating employees is making sure the training is effective. Simulated phishing involves launching non-threatening email phishing attacks on your system to see which employees respond appropriately, and which are fooled into clicking on what could be a potential threat. This testing should be conducted frequently, on an unannounced basis, and the results acted upon. Simulated phishing should not be used to punish violators, but to reemphasize the need for their constant vigilance.
- Secure data backup – Data security is often a function of where you keep your files and who can access them. An internal firewall can be a powerful tool. But cyber thieves know about firewalls, too, and are working every day to defeat them. It is essential to have a firewall that is up to current security standards and is tested frequently. Cloud storage solutions typically provide a higher level of encryption and security, with frequent updates to address new threats. (This is in addition to the many benefits cloud storage provides for access to files in a distributed work environment.)
- Password policies – Let’s be honest. Many people use one password to access multiple accounts, perhaps even the same password for both personal and business use. If that password is breached, you have just given the keys away to a cyber thief. Every business should have a strong password policy and incorporate two-factor authentication for access to every part of your network.
- Dark web monitoring – Once Personally Identifiable Information (PII) is stolen it frequently shows up on the “dark web,” the nefarious underbelly of the more familiar and accessible world wide web. Credentials are bought and sold in dark web marketplaces that are hidden away from most users. Engaging in a dark web monitoring service will not prevent data from being stolen, but it will alert you to the fact that a breach has taken place so that you can respond more quickly.
While no federal data security laws are currently on the books in the U.S., most states have data security laws and regulations that require all organizations that possess and store Personally Identifiable Information (PII) to meet certain security standards. Massachusetts was one of the first states to introduce such a law (MGL 201 CMR 17.00) which has served as an example for cyber security laws in many other states. Data security compliance laws typically offer standards for securing private data and define penalties for non-compliance.
For companies doing business in more than one state it is important to note that you must be in compliance with data security laws in each state in which you have any connection – customers, employees, vendors, banks, etc. In addition, any company doing business in Europe, in the U.S. with a European company, or with customers in Europe are subject to the exceptionally strict GDPR regulations.
The rapid and widespread move to working remotely brought about by the COVID-19 pandemic has been a windfall for cyber criminals. Many businesses have simply allowed their employees to use their personal laptops and mobile devices to work from home, Starbucks, the local park, or a beach house. That means the company’s data is residing on unencrypted devices and moving across public internet channels. Easy pickings for a tech-savvy hacker.
A much more secure course of action is to provide employees with a company laptop that has been protected with a strong password, and to have data transfer occur over an encrypted virtual private network (VPN). This offers more of a challenge to cyber thieves and will help protect sensitive information and data as it travels between home and office or home and your cloud storage server. Here are important steps to take if your employees will be working remotely:
- Get into the Cloud – If your company is not storing its data and files in a secure, cloud-based network you should do so immediately. Cloud-based apps for accounting, CRM, file sharing, and creative efforts offer superior security and safe access – if you take the necessary precautions.
- Virtual Protected Network (VPN) – Don’t allow team members access to company data simply by being online. A VPN requires users to sign onto a specific network to access certain applications.
- Multi-Factor Authentication (MFA) – This is a two-step process that helps to ensure the person logging onto a network or application is, in fact, who they say they are. The two steps required are a password and unique security code, typically sent to an email address or cell phone.
- Zero Trust Security – Zero Trust architecture is the highest level of security currently available. No devices are ever considered to be inherently safe. All devices and users must always prove their authenticity, use the most updated patches for all software, with security assessing threats in real-time.
- Devices Policy – Allowing employees to use their own devices for business opens your files up to malware and viruses that can enter through social media and casual use. The best route is to provide “business-only” devices. If not, a VPN and MFA can provide limited security.
- Education – This should be #1 on the list. The weakest part of your company’s defense against cyberattack is the human element. Everyone should be formally trained to identify and be alert for phishing emails, suspicious attachments, spoofed emails and other cyber threats.
MITIGATION & SURVIVAL
You’ve been hacked and an unknown amount of data has been accessed. Or you have woken up to a ransomware notice on your computer. Or an employee on their lunch break clicked on a PDF to see pictures of cute puppies but inadvertently allowed a malware “worm” to enter your corporate network. What do you do now?
- Immediate response plan – Your WISP should include a detailed plan for responding to a data breach, ransomware or other type of cyberattack. The goal is to minimize damage, comply with state regulations regarding notification and mitigation, and secure restoration of files so that you can get back to business as soon as possible.
The immediate response document provides a step-by-step game plan for reacting to a catastrophic event, whether it is a cyberattack, fire, or natural disaster. Once the “fires are out” and everyone’s safety is assured, what do you do next? Simple checklists can help guide company leadership in stabilizing operations and putting things back on track as quickly and efficiently as possible.
It starts with something as commonplace as a company contact list, with names, phone numbers and email addresses of critical personnel who should be contacted in the event of an emergency. Each member of the management team should be assigned a recovery role and trained in how to execute it. Other checklists should cover critical steps such as data recovery procedures, incident reporting requirements, equipment replacement lists, customer communications processes, and mitigation of damage to key assets. Time is money, so the plan should include a recovery time objective (RTO) to make repairs, restore systems and minimize downtime so you can resume operations as soon as possible.
- File recovery and restoration – Securely backing up your files is one thing. Accessing that backup once you have been breached is another. Preparing an alternative network and “clean” devices that are separate from those that have been breached can help you get back up and running more quickly and securely.
- Business continuity plan – Your business continuity plan should be a written document that details how you will recover after a disaster occurs. For your company’s data and information this must include secure backup and archiving of critical files on at least a daily basis. The backup must be automatic, digital and include off-site storage so that you can quickly reestablish access to files. This might require an upgrade to your computing capacity and bandwidth.
Cloud storage of data is currently the most reliable way to secure data while providing quick access when required. But make sure the cloud environment you choose is the right one for your business and your needs, that it is truly secure, and that it will be readily scalable when your company’s growth necessitates expansion.
Personnel are also an important part of business continuity. Everyone should have a role to play and, wherever possible, should be cross trained in other aspects of the business to ensure a backup is available. Knowledge transfer and multi-role training can also help smooth transitions when an employee is promoted or leaves the company and must be replaced.
Nobody wants to believe they can be fooled by a phishing scam. Nobody wants to imagine the chaos that would ensue after a ransomware attack. Nobody wants to think about the catastrophic damage that would be caused by a data breach. Yet these calamaties occur every hour, of every day. It is the business leader who prioritizes preparation and prevention who will create a resilient organization with the best chance of avoiding an attack or surviving one when it eventually happens.
Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm based in Canton, MA. He can be reached at firstname.lastname@example.org.