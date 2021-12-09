One in five small- and midsize-businesses have reported experiencing a ransomware attack. Ten percent of small-businesses that experienced a cyber attack went out of business.
“It's not a matter of if, but when” a business will experience a cyber attack, said John Johnson, president of the Docent Institute, a nonprofit that offers education on cyber security and other technology.
All businesses, regardless of size or sector, are at-risk for cyber attacks. Here's what you need to know to protect your business.
Small- and midsize-companies are the most at risk
Ransomware attacks on midsize companies are the most common cyber-security breaches in Iowa. But a lack of publicity about the attacks leaves companies with a false sense of security.
“Manufacturers have long had the view, ‘I don't typically have as much data or information that others would want so therefore I'm a lower risk,’” said Mike O’Donnell, manufacturing program director for Center for Industrial Research and Service at Iowa State University. “I believe that in the last few years it's become more and more clear that all businesses are at risk.”
Small- and midsize-companies are often targeted because cyber criminals know those businesses can't fund multi-million dollar cyber security defense strategies like larger, national companies.
Once cyber criminals are into your servers and demanding ransom, it is often too late to do anything. You should proactively plan what recovery would look like after an attack. Without a plan, it comes down to the decision of paying or not paying ransom.
Newly proposed legislation in New York, North Carolina and Pennsylvania would prohibit government entities from paying cyber criminals to retrieve their data. Supporters of the bill argue that would reduce cyber attacks because there would be no incentive for criminals to attack entities without the possibility of a paid ransom. However, local governments who experience an attack might not be able to restore their stolen data quickly and that could be more costly than paying a ransom.
Cyber criminals are becoming less likely to respond to ransoms, even if they initially request them. Ransom rates are also increasing.
Evolving infiltration requires updated security measures
Cyber criminals use your company’s weakest link to enter the software or obtain money. Most of the time, they get in through employees.
Rock Island County lost $115,000 in a cyber attack that used social engineering fraud, which is when cyber criminals impersonate an employee or vendor to try to gain money through wire or other transfers. By impersonating a contractor the county works with, the criminal secured payments through three different transactions.
Paul Rouse, president of Rouse Consulting Group, a technology company that specializes in cyber security, said this attack could have been prevented if the standard security measures and training were in place.
"It really would have given the employees or members of the organization the tools to identify something that wasn't right, and should have probably been able to stop it and ask the next question, and figure out why this doesn't sound right doesn't smell right," Rouse said. "Let's investigate it further before we hit the send button on $100,000."
This attack makes Rock Island County a bigger target for future cyber attacks, Rouse said, now that criminals know their scams work and the county is considered "weak prey." This makes training for employees and increased security measures critical.
To combat social engineering fraud, organizations should insist on in-person or over-the-phone contact before monetary transfers are finalized.
Here are other ways hackers get through to you and your staff.
Phishing emails: These emails, which often look very similar to emails from legitimate companies, contain a link that, once clicked on, will release ransomware to hack into sensitive data. Train your employees how to spot the fakes.
Ransomware attacks: The exploitation of a computer system through software that encrypts data. It also encrypts data outside of the direct computer system, like data stored in a cloud system or in a separate data center that the hacked computer has access to. Most cyber criminals partake in data exfiltration, which means they steal data while preventing the company from accessing it. Some attackers sell the data sets to other criminals, so you may still be at risk, even after paying a ransom.
Weakness in the cyber supply chain
The more complex your online software system is, the greater the cyber-security risk, especially if you have a large number of employees.
“That's what we've seen with some of these attacks on third party software that many, many companies utilize,” Johnson said.
Third party software that connects multiple companies poses a great threat to their cyber security. If one computer is compromised from a software vendor, the rest of the companies that utilize their services are at risk. Then the cyber criminals access multiple businesses through one system.
If management software is infiltrated, sometimes cyber criminals wait until the next update to access any data because they can introduce a new vulnerability which further weakens the software.
International cyber criminals often utilize weaknesses in the government’s supply chain to access state and federal data when the U.S. contracts out to smaller vendors with weaker cyber-security practices. Once attackers compromise the smaller companies, they can “leapfrog” through the subcontractors up to levels where they can access large amounts of data.
More research is needed to fully develop best practices for companies around how they manage third-party software in their supply chain, but practicing healthy cyber security can reduce risk.
Global security for national and international businesses
Every business should be concerned about international cyber security attacks, even if they don’t conduct international business.
“The internet allows anyone from anywhere to be able to access equipment anywhere in the world,” said Mike Simmons from Imprimis Inc., a cyber security company. “So you get a lot of people from outside of the country.”
Most large-scale international attacks target U.S. banks, but nonprofits and midsize businesses can still be at risk if they are in a competitive industry established in other countries. If you are a global company, create well-developed cyber-security protocols to manage vulnerabilities across multiple countries. James Johnson, Deere & Co's chief information security officer, said Deere has “24/7 visibility all over the world” across each of its international sectors.
For companies that conduct business across multiple time zones, maintaining software that offers 24/7 surveillance is critical. The software should include firewall protection and thorough network monitoring.
Countries and states have different regulations and limitations when it comes to cyber-security protocols, so make sure to review them before drafting cyber-security measures.
If a company owns different industry sectors under the same company, like financial and manufacturing firms, each sector needs cyber-security defense planning to ensure proper protection against the industry’s greatest cyber-security risk.
Cyber insurance evolves with cyber attacks
Cyber insurance has protected businesses from the detrimental effects of a cyber attack for years. But it’s most popular features are shifting as the field changes.
Cyber insurance is recommended to all businesses because cyber criminals have unlimited resources, said Dan Molyneaux, who handles cyber insurance for Molyneaux.
“It's just a matter of whether they pick you or not,” Molyneaux said. “They're attacking any and all kinds of businesses. It's like a lottery in reverse.”
Cyber insurance was first marketed as liability insurance for private information that could be stolen by cyber criminals. Then, it was a way to pay for and ensure a company’s cyber security measures were in accordance with state and federal requirements. Now both of these tools are used to eliminate the risk of major damage after a cyber attack.
Current cyber insurance policies also include coordinated access to resources that companies would need after a cyber-security breach. Companies should call their cyber insurer immediately after an attack to get connected with a security firm, PR firm, forensic firm, and other resources to help their business recover.
Companies have to endure a lengthy application process that requires certain security measures be in place before they can qualify for insurance. For example, some companies require the elimination of remote desktop protocol, which can leave a company more vulnerable to hackers.
Proactive cyber hygiene
It is essential for businesses to take advantage of the resources for cyber security before an attack occurs to protect the longevity of their company.
“If you've got a good plan for data protection and recovery, and you're keeping your employees trained and aware, then you have a much better chance of surviving,” John Johnson said.
Training for employees on cyber safety is essential to defend against phishing-based cyber attacks. Insurers, technology nonprofits, and software companies typically offer training for employees or resources that can help educate about cyber safety.
In order to safeguard important data, installing antivirus and next generation endpoint protection can help deter cyber criminals. Keeping software “patched” regularly and backing up data are some of the most effective strategies in preventing ransomware attacks.
Sometimes, older is better. When processing wire transfers or other monetary exchanges, always have an element that hinges on in-person or over-the-phone interaction. This will help to avoid being impersonated over email or other electronic communication.
Reviewing countries’ and states’ individual requirements and laws on cyber security will help companies design the best defense protocols.