Last summer, an employee at a New Jersey-based business used a personal USB device to download something off the company system and, without meaning to, injected malware that resulted in a ransomware attack on the whole system.
Perhaps he should have known better. According to Norris McLaughlin cybersecurity law Chair Rebecca Warren, he was the company’s head of IT. Ninety percent of cyberattacks are occasioned by human error, Warren said as a panelist on NJBIZ Cybersecurity Panel Discussion on Feb. 16.
Though that statistic hasn’t changed, the number of such events has. There’s been an “exponential increase” in phishing and cyberattacks since the onset of the COVID-19 pandemic, Warren said.
The uptick happened almost immediately and has been one of the focuses of the joint federal-state New Jersey COVID-19 Fraud Task Force launched in March. Carbon Black released data in October showing a 238% increase in phishing scams alone, where bad actors send faux work-related emails to people within a company to get them to click on a link that imports malware into the system.
Warren was joined by Chiesa Shahinian & Giantomasi Privacy & Data Security and Corporate Securities Group Mem-ber Michelle Schaap, New Jersey Cybersecurity & Communications Integration Cell Director Michael Geraghty, PCH Technologies President and CEO Tim Guim, and Grid32 Cybersecurity President Seth Danberry.
The best way to save employees from falling victim to phishing attacks, Schaap and Warren said, is education; and it’s going to look different than it did pre-pandemic. In the office, cube mates offer a sounding board to evaluate questionable emails, and someone to ask, “does this pass the sniff test?” for messages that are ultimately phishing attempts.
Businesses should engage in friendly phishing and vishing (voicemail phishing) and follow up with education when employees fall for it. One way to keep employees from falling into a phishing trap, Gereghty said, is to have “THIS IS FROM AN EXTERNAL SOURCE” imported into the subject line of emails that come from outside the company.
“This way you give them a clue as to what to expect from that email. If you see something that says ‘external’ but it’s coming from your boss, hopefully that sets off alarms with the recipient,” he said.
With a large percentage of the workforce working remotely for nearly a year now, Guim said one of the biggest changes “is that the footprint change[d] tremendously. Rather than having 250 computers you’re protecting in one location, you have 250 endpoints you have to protect across the board.”
Not all home networks are secure. “Sometimes there wasn’t an opportunity for people to purchase corporately owned devices, where they’re working with their own devices, which presented a lot of issues in that perspective,” Guim said. “We had to change the type of technology that we deployed in order to protect these endpoints to make sure they were safe and secure working remotely versus working in a traditional office.”
Danberry is a self-proclaimed hacker—the good kind, he assures—and his company Grid32 Cybersecurity will hack into your systems to expose your cyber vulnerabilities. They won’t hurt a thing, though.
“We give them info on how it happened and how to avoid it,” Danberry said. He does so with a pentest, short for penetration test. A pentest is an authorized simulated cyberattack on a computer system performed exclusively to evaluate the system’s security.
Those who don’t take precautions and beef up their security run the risk of falling victim to ransomware, which is exactly what it sounds like: hackers lock a business’ system and require a ransom to return it to the owner.
According to Carbon Black, a $50,000 minimum asking price is not uncommon, and the average ransom in 2019 was $111,605. But that’s not the biggest or baddest: Tech news site BleepingComputer reported that hackers demanded a $10 million ransom from outdoor technology company Garmin after hacking into its systems in August 2020. Though Garmin did not confirm that it paid that ransom, it did confirm with BleepingComputer that it received a decryption key from its hackers to gain control of its system back.
Though it’s one way to solve the issue—maybe—Warren noted that paying the ransom doesn’t guarantee hackers will give a key back to decrypt hacked information, and even if they do, what did they do with the information when they had control of it?
“When you pay a ransom, you validate the business model,” Geraghty said.
Panelists recommended security measures such as multi-factor authentication, which requires two separate pieces of information to gain access to a system, like a password and ZIP code. A passphrase can be more secure than a passcode, Danberry suggested; and keeping information on the cloud rather than in on-premises computers adds another layer of protection, according to Guim.
There are three factors that can be used to authenticate, Danberry explained: something you know, something you are, and something you have. A password is something you know; and if someone else knows your password, “they have the keys to the kingdom,” Gereghty said.
“We’re going to see a move toward something you are, so a fingerprint or an iris scan, or something you have, such as your cell phone or a two-factor key, like an RSA key. Passwords really are a huge problem,” Danberry said.
Guim recommended determining which data is most important to your company and building rings of security around it. “The best advice I can give to the audience is if you’re robber and you approach two houses, and you hear a barking dog [at one but not the other], you’re going to go to the house without the barking dog,” Schaap explained. “Be proactive. Don’t wait for the ‘when’… incidence response planning is critical.”
And don’t save it on the internet, she said. Because if you’re hit with a ransomware attack, you won’t have access to it. At CSG, they give out notecards, and have as many as you want, to keep it in your glove box, by your desk at home, in your bag. Businesses want their employees to feel free to be candid: if they clicked on something, you want them to tell you. Then you can watch for any attacks, quickly respond and recover.
To maintain another layer of security, businesses should engage their vendors in conversations on their security measures as well.
“I want to know what type of technology controls a vendor has who’s going to be touching my sensitive data put into place. Are they going to be training their personnel annually? Are they encrypting their data? Do they have multi-factor authentication? If they’re processing credit card information, are they payment card industry compliant?
Have they shown me certificates showing that they’re PCI compliant? If they’re going to be doing billing for me and I’m a health care provider, are they HIPAA compliant?” Schaap said.
This information can’t just be put into a drawer, she said—kick their tires once a year and request these reports.
Don’t forget about in-person vendors. Warren offered a real life example for why: A water delivery company in New Jersey was paid to get critical info from a law firm on a pending litigation matter.
“Often times people don’t consider vetting their cleaning crew,” Schaap said. “If your cleaning crew is coming in with cell phones, what’s to stop the cleaning crew from coming in and taking pictures of sensitive information on a desk? [You need to vet] any vendor.”
Businesses that fall victim to cybercrimes can report them to the Internet Crime Complaint Center, which is a federal repository for cyberattack complaints. While Schaap says that the feds might not be able to do anything about it, it allows them to compile a database of bad actors. They may be able to identify the bad actor based on how they attacked and how they’ve attacked in the past.