When the staff of a large New York City nonprofit agency with nearly 2,000 employees and volunteers was locked out of their computers, management thought the machines were at fault and kept buying new ones — but repeatedly suffered the same problem.
“Once a system’s been attacked, it can be exponentially more difficult – and expensive – to resolve, as opposed to having appropriate protections in place to begin with.”
– Carl Mazzanti, co-founder and president of eMazzanti Technologies
“The nonprofit recently contacted us and, when we sent a team to investigate, we quickly discovered that the organization had been hacked — likely through its email system,” said Carl Mazzanti, co-founder and president of eMazzanti Technologies. “We’ve got a full-time team working there now to try to remediate the situation, but the infections are so deep that it’s unclear just how long it’ll take to clean things up. Once a system’s been attacked, it can be exponentially more difficult – and expensive – to resolve, as opposed to having appropriate protections in place to begin with.”
Nationally, there were 791,790 complaints of suspected internet crime — an increase of more than 300,000 complaints from 2019 — and reported losses exceeding $4.2 billion, according to the FBI’s latest annual numbers in the 2020 Internet Crime Report. New Jersey losses alone totaled more than $100 million, according to the report.
The challenge is that businesses are “often focused on sales, customer service, and keeping the lights on,” Mazzanti noted. “Also, most news reports focus on the larger firms, but it fosters a misbelief among small- and medium-sized companies that ‘it will never be me.’ There are so many smaller firms, in particular, that have deployed little to nothing to protect themselves, that it’s an easy group to take advantage of today.”
Regardless of the size of an organization, “Management often doesn’t realize that assets they have — personally identifiable information like Social Security numbers, trade secrets and other data — may be worth a lot to the wrong people,” he explained. “This exploded during the early part of the COVID pandemic, when the federal government stepped in [the Pandemic Unemployment Assistance program was enacted, greatly expanding benefits] and understaffed unemployment offices across the country were basically approving almost every application. So bad actors were appropriating Social Security numbers and filing bogus claims.” Late last year, a New Jersey resident pleaded guilty to working with a co-conspirator to submit more than 100 fraudulent PUA claims in Massachusetts that resulted in more than $1.2 million in payments.
“We advise clients on ways to protect their systems, including limiting access to payroll and other records, installing MFA (multi-factor authorization, or a security step — in addition to using a password to access an account or app — which prompts a user to provide a second form of identity verification, like scanning a fingerprint or entering a code received by phone), install security incident monitors and other measures,” Mazzanti said. “But it’s up to them to accept and implement the recommendations.”
About 90% of all business threats start with social engineering, like phishing, according to Robert Lesher, a pre-sales solutions engineer at Aspire, a technology services firm. Phishing refers to scams aimed at stealing valuable information — like credit card and Social Security numbers, user IDs and passwords — using official-looking emails, apps and other strategies.
Someone — from individual hackers to well-equipped APTs, or Advanced Persistent Threats, to state-sponsored organizations — “is always on the lookout for low-hanging fruit,” he added. “Businesses tend to be at a disadvantage, because there are millions of emails flowing around each week, and some phishing attempts are bound to get through, especially if you’ve got an inexperienced person on your system who unknowingly clicks on a malicious link on a website or an email.”
But even experienced users can get caught by a “spear phishing’ attack,” or an email or electronic communications scam that targets a particular individual or business. “If a hacker knows the target and structure of a business, they may know just what to do to get someone to click on malware, which could propagate throughout the network, compromising systems’ customer and user data,” Lesher warned. “But businesses can try to guard against these and other cyber-attacks, and it doesn’t have to be expensive.”
Awareness is the first step, he said. “Show your employees examples of phishing emails — we offer a ‘KnowB4’ user awareness program that uses videos to train staff, and then tests their awareness to see if they will click on suspicious links.”
Other solutions include digital filters that may prevent harmful emails from showing up on a user’s account, and multi-factor authorization software that could potentially stop attackers from breaching an organization’s email account. “We offer and support solutions like Cisco Umbrella DNS security solutions, which can prevent a company’s employees from accessing a malicious site,” Lesher noted. “Another Cisco product, Secure Endpoint, watches for known files and activity and behavior; so if there’s unexpected activity on a person’s computer — like if a computer in human resources starts changing system commands or escalates user access — the Secure Endpoint program can rapidly detect, contain, and remediate the unexpected activity. Our teams can basically ‘look over the shoulder’ of small and large businesses.”
In one case, a panicked New Jersey-area nonprofit contacted Aspire after losing a “substantial” donation. “The finance director was using an Office 365 email system that was infected with a ‘man in the middle’ attack [where a hacker intercepts the victim’s communications],” he recalled. “The finance director got an email from a donor who planned to transfer a significant amount of money to the nonprofit. When the director followed up 10 days later seeking the status of the donation, the benefactor told him he had already wired the money to a specified account. But in fact, the hacker must have been following the email exchange, and sent the donor an official-looking communication with instructions to send the money to a different account, and the money was never recovered.”
There were multiple lessons to be learned from this, he added. “First, the nonprofit should have had MFA and other security in place that would have reduced the chances of a software breach. Additionally, the donor should have been advised to check directly with the nonprofit before following any new instructions about making a donation. Unfortunately, these kinds of incidents among unsecured organizations are all too common. That’s why we have a U.S.-based fully staffed managed services team and security operations center to help customers such as this in a time of crisis.”
Size does not matter
Even the smallest of businesses has critical data to protect, “whether it’s sales data, customer records, HR information, you name it,” according to Indu Peddibhotla, senior director, Market & Product Research, at IT solutions firm Commvault. “However, small and medium businesses don’t always have a large enough IT team or budget to manage every facet of data protection, especially not at the rate new, more sophisticated ransomware attacks and security vulnerabilities are surfacing. Yet small and large businesses alike are being challenged to keep pace.
Small business data continues to grow daily, and it lives everywhere, from legacy IT systems, in the public cloud, on new end-user devices and laptops, and in SaaS applications. This data sprawl is only getting worse, and it creates a growing “surface area” for data breaches and cyberattacks.
Organizations need “a multi-layered approach encompassing data management, protection and security,” he added. “Sound threat detection across your environment coupled with a proactive recovery plan can help keep your business up and running and help you rebound quickly in the event of a breach. It’s not a matter of if your business will be attacked, it’s a matter of when.”