Interview with Tom Meehan, CFI
Meehan is retail technology editor for LPM as well as chief strategy officer and chief information security officer for CONTROLTEK. Previously, Meehan was director of technology and investigations with Bloomingdale’s, where he was responsible for physical security, internal investigations, and systems and data analytics. He currently serves as the chair of the Loss Prevention Research Council’s (LPRC) innovations working group. Meehan recently published his first book titled Evolution of Retail Asset Protection: Protecting Your Profit in a Digital Age. He can be reached at TomM@LPportal.com.
Cybersecurity Trends and Strategies
It is no surprise that cyber incidents have become a significant concern, not only for large enterprise companies but also for small-to mid-size businesses (SMBs) and consumers alike. Unfortunately, no one is immune from a potential attack, which means all individuals and those inside an organization are responsible for protecting assets.
This article will cover the top areas where malicious activity occurs, the critical trends in cybersecurity that put companies at risk, and the importance of creating a corporate strategy for better cybersecurity hygiene.
First, what exactly is a cyber incident? The FBI defines a cyber incident as “a past, ongoing, or threatened intrusion, disruption, or other event that impairs or is likely to impair the confidentiality, integrity, or availability of electronic information, information systems, services, or networks.”
Ransomware is malicious software that locks computer files by encrypting them. The attacker then requests a payment (ransom) to release the files. The threat of ransomware continues to be a significant concern for businesses. Recent findings from Cloudwards found that 37 percent of companies were hit by ransomware in 2021, with the most considerable ransom demand coming in at a whopping $50 million and made to computer giant Acer in March 2021. In 2021, every eleven seconds, a company fell victim to ransomware.
Ransomware attacks can happen in several ways, the most common being when someone clicks on a link in an email, which executes malicious code. One of the most prominent issues today is that many ransomware attacks target solutions providers. For example, an IT services company was recently attacked, which led to several hundred customers getting infected. This type of thing is very concerning.
In light of the increasing threat of ransomware attacks, one positive result is the growing concern of the federal government. As discussed, the federal government now treats ransomware to the same degree it treats terrorism. For instance, with the Colonial Pipeline incident in May 2021, the federal government seized 80 percent of the $4.5 million that was paid in bitcoin.
However, that is not always going to be the case. Sometimes a company pays a steep ransom to regain access to its data files. For example, for a small business, a ransom is often $3,000 to $10,000, or sometimes as large as $100,000. For large enterprises, ransoms can easily reach the millions. As a result, some question the wisdom of paying a ransom; however, it may be the only option in some cases. According to Cloudwards, 32 percent of victims paid a ransom in 2021, while only 65 percent of data was recovered from victims who paid the ransom.
Here are a few critical recommendations for organizations to protect themselves against ransomware attacks:
Don’t click it. Don’t click on links or open attachments if you get an unexpected email. Taking extra time to validate an email is always a good use of time.
Stay up to date. Companies running outdated IT systems likely have inadequate protection. Cybercriminals scan job websites for companies hiring programmers with experience using COBOL, an old programming language that is still widely used by many companies today. In addition to outdated versions of Windows and macOS, patches (updates) that are no longer developed can significantly increase a company’s risk.
As 5G networks are built, the number of connected Internet of Things (IoT) devices and sensors will continue to expand. This creates network vulnerabilities to large-scale attacks. I believe this will become a company’s most significant cyber risk over the next five years, as the more connected you are, the more vulnerable you become because your digital footprint expands.
Each connected product creates an entry point into your network. Even if an IoT device doesn’t necessarily generate an intrusion point into your network, it could be a disruption point for your business.
Any connected device must be from a reputable company and patchable. Companies should also make sure someone manages the life cycle of their IoT devices. For example, a solution purchased five years ago might not be patchable in three years, so it is critical for someone to be responsible for recognizing the end of life of specific devices.
Another risk associated with 5G stems from speed’s most significant benefit. Hackers can access a network with increasing ease and speed. Due to this factor, cybersecurity professionals are studying many IoT devices for signs of backdoors and other vulnerabilities. Additionally, as a standard best practice, companies should update their network encryption because much of what is in use today is outdated.
Over the last two years, employees working from home have become a significant risk for their organizations. Malicious actors exploit misconfigured cloud security measures and insecure home networks and devices. Think about an organization’s digital footprint to get a more holistic view of this scenario. Even a headset or phone connected to a computer creates another potential entry point due to these vulnerabilities. Remote workers are targeted by phishing scams via email, text, voice, and third-party apps. Therefore, remote workers must remain vigilant. (See below for more information on phishing.)
I recommend another piece of advice to avoid “crossing over” devices. For example, you should resist the temptation to let your child use your work computer for a few minutes. It would be best if you also refrained from using your work computer for personal purposes as any website you visit or email you open may pose a potential threat.
Phishing is a type of cybersecurity threat that targets users through email, text message, or direct message. The attacker poses as a trusted contact in one of these scams and steals data like logins, account numbers, and credit card info. Phishing attempts are becoming more sophisticated and creative as cyberattackers become more sophisticated and savvy. However, what unites these attacks is their common purpose—identity theft or transferring malware. Below is a review of the different types of information attacks.
Spear Phishing. Unlike spam, spear-phishing attacks target specific people within an organization. Usually, hackers customize emails with the target’s name, title, work phone number, and other information to make the recipient think that the sender knows them personally or professionally.
Whaling. Whaling is spear phishing that targets CEOs and other executives. The risk-reward ratio is drastically higher when individuals have unrestricted access to sensitive corporate data. Whale hunting occurs in criminal organizations with the resources to accomplish such an attack.
Business Email Compromise (BEC). In BEC attacks, impersonated executives lure customers, employees, or vendors into wire transferring funds to a different bank account. In 2019, BEC scams were the most damaging and effective type of cybercrime, according to the FBI’s 2019 Internet Crime Report.
Clone Phishing. This type of scam involves the scammer creating an almost-identical copy of an authentic email, like one from your bank, so you’ll share valuable information. The attacker replaces what appears to be an original link or attachment with a malicious one. In addition, the email is from an address that resembles that of the original sender, making it harder to spot.
Vishing. Also called voice phishing, vishing is when a scammer displays a well-known, trusted company’s phone number on a victim’s caller ID to entice them to answer. After impersonating an executive or official, the scammer uses social engineering or intimidation tactics to get money purportedly owed to them. The victim can also get a voicemail asking them to call back a number. When they do, they enter personal details.
Snowshoeing. Snowshoeing is a method used by attackers to circumvent spam filters. They accomplish this by sending messages from multiple domains and IP addresses, sending out such a low volume of messages that reputation-based spam filtering technology cannot detect and block malicious messages immediately. Messages often make it to inboxes before the filters learn to stop them.
Many scam emails center on current events, such as package tracking and vaccine-related information, where hackers are able to automate the sending of thousands of emails.
COVID-19 was, of course, the biggest news in 2021. Vaccination information was in demand, from the current state of the disease to the location and timing of vaccinations. This type of online behavior was ideal for malicious actors. The United Kingdom’s National Health Service sent out warnings about fake vaccination appointment emails, and IBM X-Force identified a supply-side attack looking to compromise the cold vaccine chain.
Another type of phishing is spear phishing, which is gaining popularity. As opposed to sending the message to many people, spear phishing targets a minimal number of people. A good example is an email sent to a specific group of people, such as colleagues, about a particular topic or even a particular project. It will entice one of the recipients to click a link or provide information.
However, spear-phishing attacks aren’t necessarily for ransomware. In many cases, spear phishers want to be able to monitor what you’re doing and get information like log- in credentials. For example, let’s say you initiate a wire transfer. The following day, an attacker sends an email posing as an official request for the wire transfer to be redirected to a different bank account. This tactic is used over the phone. Whatever the case, the rule of thumb is never to give out credentials and always use two-factor authentication.
More than 80 percent of reported cyber incidents result from social engineering, a derivative of phishing that seeks to manipulate people into divulging confidential information. Ninety percent of organizations shared having a social engineering attack within the last year.
In essence, these malicious attackers are modern-day con artists who initiate a conversation and try to build trust. Some even go to job interviews to learn more about a company before beginning their attacks.
While social engineering is a popular tactic for phone attacks, it also occurs in emails. Email filters have matured and can sometimes identify social engineering emails. User awareness campaigns also play a significant role. Organizations need ongoing training to help employees spot the latest techniques cybercriminals utilize.
Unfortunately, a company’s most significant risk is human error. Seventy-five percent of cyber incidents originate from within the company. Furthermore, 40 percent start with an employee falling victim to a phishing or social engineering scam.
In addition to employees, contractors and security guards can also pose an insider threat, as they have access to your offices and computers. But, again, it is imperative to note that this is something that a company can control. Recently, IBM conducted a wide-reaching study into cyber breaches. According to the study, human error was the major contributor to 95 percent of all breaches.
Human error can show up in several ways. For instance, employees often don’t initiate software security updates or password resets, exposing sensitive data. It’s also a concern among cyber risk professionals when cloud-based apps are misused or configured wrong.
Unintentional security breaches occur due to remote workers, inadequate training, or the lack of security best practices, which can harm your company’s data, finances, and brand reputation. A successful cybersecurity strategy must include proactive measures to mitigate human error because skilled cybercriminals understand that security measures are only as effective as the people who implement them.
Lack of Protection
Companies can also control their insurance coverage, which is necessary for modern business. However, obtaining coverage isn’t enough. Specifically, companies should thoroughly review their policies. Traditionally, cyber insurance is limited to mitigating the costs of identification and recovery. Companies must also consider liability, mainly if the customer data includes more than just the company name. Ensure that your insurance policy also covers everything you might need, including compromised emails and ransomware.
It is important to remember the best protection is a good defense. Educating employees on ever-changing tactics and how to practice proper cybersecurity hygiene is critical in keeping your company protected.