A New Jersey company was having some construction work done and got an email — which appeared to be from the contractor — with instructions to send remittances to a new bank account. But “It was a scam, and the company lost nearly $1 million,” said Michelle A. Schaap, a member of CSG PC and head of the law firm’s cybersecurity practice. “It’s one of many common schemes by bad actors, and was the result of a business email compromise. Any time you get a change in remittance request, the best practice is to call the company directly — on a verified phone number that you’ve used before — and verbally confirm the change.”
Small- and medium-sized enterprises (SMEs) are facing a perfect storm, according to some cybersecurity professionals. Thanks to the COVID-19 pandemic, more people are working remotely and more business is being conducted online. These two long-term conditions give hackers more opportunities than ever before.
The fact that more companies — “even one- or two-person businesses” — have an online presence, means that there’s more opportunities for bad actors, Schaap added. She divides the working environment into two stages: pre-COVID and post-COVID, and said businesses must adapt to the changes.
“Pre-COVID, you may have had employees who would use their personal cellphones and other devices when they occasionally worked remotely,” she said. “Today, with remote work becoming the norm, that could be a disaster waiting to happen, especially if their devices are not secured properly.”
At CSG, even before the pandemic, “everyone received an incident response card,” which gave contact information in case something goes wrong, “from losing your cellphone to clicking on a bad website,” Schaap said. “In addition to the contacts’ company email and work number to whom to report, the card also gives alternative points of contact — that’s vital in case the company servers get shut down and you cannot report an event through work email addresses or phone numbers.”
She also suggested establishing controls “to respond to potential vulnerabilities, like mobile device management software that can wipe data if the device is lost or stolen.” Another tip: refuse to share a company device. “An employee at a small CPA firm was working on their personal computer at home, remoting in through the firm’s VPN [virtual private network]. The employee also made the computer available to their young son, who used it for gaming. The device was compromised through the gaming site and the hacker was able to access the firm’s customers’ tax records — taking ones that reflected a refund and altering the direct deposit information to accounts controlled by the hackers.”
A hidden threat
When a big company like Colonial Pipeline gets smacked by a ransomware attack, it’s splashed across the news. “But smaller companies face similar threats — without the same deep-pockets resources to combat them — and few people hear about it,” warned Mike Reagan, a New Brunswick-based vice president of consulting services at CGI Inc., a global IT and business consulting services firm. “Consequently, many small- and medium-sized business owners are aware of cy-bersecurity issues, but believe ‘it won’t happen to me.’ They wake up when they get hacked.”
Cyber-threats are always around, he added, “but now more people are working remotely, and home networks — or your local coffee shop — are generally not as secure as a business network. In addition to potentially compromising your own laptop, you may be giving hackers an entry into the company’s system.”
In addition to strong passwords — “you’d be surprised how many people use something like their mom’s maiden name for password, even though that can often be revealed by looking at a person’s publicly available Facebook account” — Reagan recommends awareness and training as the first line of defense.
“Even if your company can’t afford a dedicated IT security expert, you can hire a consulting firm to assess your vulnerabilities and make recommendations.” he noted. “We also recommend ongoing training, and initiating internal exercises, where the company sends out ‘fake’ phishing or other ‘corrupted’ emails to employees. If they click on a link a message pops up that says, ‘you got nabbed by a training exercise.’”
Cyber-attacks “are gonna happen,” he added. “The best thing you can do is try to anticipate them and defend against them.”
Threats can come from unexpected places, Schaap said. “It’s important for companies to verify that their vendors are using best cybersecurity practices, since they’ve often got direct access to your systems. Major breaches at service providers like Kaseya [which develops remote-monitoring and management tool for handling networks and endpoints] and SolarWinds [which provides network monitoring and other services] highlighted these kinds of issues.”
She observed that the most cost-effective measure that a small business owner can implement is to train its personnel on cyber-mindfulness and cyber threats. She also pointed to NIST (the National Institute of Standards and Technology), as a good resource. “The NIST Cybersecurity Framework addresses threats and supports business, offering frameworks specifically scaled for small and mid-sized businesses,” according to Schaap. “Small businesses often don’t think they’re targets, or that cybersecurity measures ‘aren’t in this year’s budget.’ But some California courts won’t let business owners use that as an excuse if they’re sued for a breach. Basically, the courts are saying that ‘you can’t say you didn’t know about ransomware and other threats, because they’re in the news all the time. Even if a business owner can’t put all the necessary cybersecurity measures in at once, there’s no excuse not to at least start.”
Carl Mazzanti, founder and president of eMazzanti Technologies, has a ringside seat to cybersecurity challenges. “We have more than 28,000 active users, up from about 16,000 in July 2020,” he said. “How many do you think take shortcuts that result in security lapses, like using ‘1234employee’ for a password, which can be easily guessed; or using the same password in multiple spots, which means if a bad guy cracks a password he can access multiple accounts.”
Some simple safeguards
Mazzanti and his employees have been trying to boost their clients’ security by converting their sign-in to multifactor authentication, or MFA. It’s a multistep process that generally requires two pieces of evidence, or credentials, to log in to an account. The first is usually a password or personal identification number, and the second is something else, like a code number that’s sent to your cellphone and then entered to complete the sign-in process.
Jumping through hoops for ransomware insurance
Victims of ransomware [a type of malware that blocks access to a computer or system, and may also threaten to publish personal data, unless a ransom is paid, usually in hard-to-trace cryptocurrency] paid an estimated $350 million in 2020, up more than 300% from 2019, according to Carl Mazzanti, founder and CEO of eMazzanti Technologies. “In two high-profile cases, Colonial Pipeline paid attackers $4.4 million, and CNA Financial Corp. paid a whopping $40 million,” he noted.
Some “lucky” victims already purchased ransomware insurance, which generally picks up the tab for at least some of the payment. But Mazzanti warns that option may be disappearing. “On May 9, European insurance giant AXA announced it will no longer provide support for ransom payments made to hackers,” he said. “While AXA appears to be the first insurer to deny ransom payments, the move could signal an impending shift in ransomware insurance coverage.”
Meanwhile, “many cyber insurance companies had begun to ask more from the companies they insure,” added Mazzanti. “For instance, some insurers require policy holders to complete certain basic security steps. Others have begun to charge a coinsurance or limit payment to a percentage of the loss incurred.”
His tips include the following:
- Organizations should conduct regular data backups. Keep multiple copies of the backups, including a copy not connected to the network. And make sure to test the backups.
- Keep systems and software up to date, including antivirus and other security solutions.
- Develop and review an incident response plan. And test it periodically.
- Conduct regular cybersecurity training. Make sure users know how to recognize phishing attempts, share files safely and secure home offices.
- Address third party risks. Examine the security practices of the vendors with which you do business to ensure they do not put your company at further risk.
So with MFA, even if someone cracks your password, they’re likely to get tripped up by the second level of authentication. As a bonus, if your cellphone pings with a code, and you haven’t tried to access your MFA-protected site, you’re now aware that an unauthorized individual has your password.
“We’re trying to improve people’s online safety, but when the workforce is decentralized, or distributed, it’s a lot more difficult,” noted Mazzanti. “If employees are using their personal computers, they often lack the sophisticated protection that corporate systems have. Also, even if the employee has a company PC or MAC, they often let their kid use the device, which can be disastrous from a security point of view, since kids will watch movies and go to game sites that are breeding grounds for viruses.”
He recalled one instance where a client complained that their mouse “suddenly switched to a left-hand operation. I asked, ‘Is anyone in your house a lefty?’ and they replied, ‘My kid, but I never let him use the company computer.’ I told him to check again, because that’s the most likely explanation and it turned out that’s just what happened.”
In today’s remote-work environment, there are steps companies can take to enhance their digital security, he added. “In addition to MFA, training is at the top. Email is a top threat vector, so employees should know not to click on strange or unexpected hyperlinks, like a message that says: ‘I just sent you some money through PayPal, click here to accept.’”
Other safe practices include limiting the kinds of software that can be loaded onto a company device. “It’s not perfect, but that can limit exposure,” said Mazzanti. “Also, if you reduce the screen timeout — the period of inactivity it takes until the device goes to sleep — it may discourage your kids from using it to watch movies.”
In a sense, he added, hackers and other cybercriminals are like business owners: “They want to work efficiently,” said Mazzanti. “So if they have a trouble accessing your device, they’ll probably move on to someone else.”