Rick Maxwell, President & CEO, Full Service Networking
We recently held a program for the Cincinnati community entitled, “IT Security for the Small and Middle Market”. This program offered an overview of current cyber security threats, along with IT best practices and insurance solutions to reduce and transfer organizational risk.
An FBI special agent from the cyber security division of the Cincinnati office presented an overview of the current cyber security challenges that are facing area businesses, nonprofits and K-12 schools. Unfortunately, no one is immune to the evolving data security threats.
One such prevalent attack affecting organizations of all sizes is known as “phishing”. This is the attempt by thieves to secure sensitive information such as usernames, passwords, and outright money theft by impersonating a trustworthy resource by way of an email correspondence.
The Verizon Data Breach Investigation Report 2015, states that as much as 80 percent of all malware attacks are phishing attempts - 23 percent of these being infections embedded on emails, with 11 percent residing on an attachment.
The FBI special agent specifically warned the attendees to be mindful of prevalent phishing deception tactics that attempt to get you to transfer money to their financial account. Here are two examples that he provided as current nefarious tactics:
- Criminals are purchasing similar internet domains to create emails that at a quick glance appear to be correct. As an example, my email is firstname.lastname@example.org. By simply purchasing the domain – fullservices.net – the criminal employs a slight change that a busy executive could easily take at face value as my authentic email. Under this scenario, the criminal urgently instructs our Controller to wire payment based on a compelling, fictitious business reason with an urgent timeframe.
- To further increase their odds of success, criminals are utilizing LinkedIn to identify newly hired Controllers/CFOs, who are eager to quickly turn a request from their new employer.
These phishing attacks can also include requesting valuable intellectual property targeting a supply chain, under the fictitious event that information needs to be quickly sent in order to secure a new customer or multi-million dollar opportunity. Further, because smaller companies traditionally are less aware of phishing tactics, cybercriminals will target the smaller companies that have strategic relationships with larger companies and corporations. Corporate espionage can be just as valuable as outright stealing money or, in some cases, more damaging.
To combat this threat, the FBI special agent’s recommendation is to always use a common sense approach. For instance, prior to taking any action, directly phone the person requesting unusual one-time actions to obtain verbal approval. This is especially sensible if it involves any transfer of money or intellectual property.
Furthermore, companies need to adhere to industry best practices. Examples include investments in multi-level defense strategies, such as deployment of an active firewall, email spam filtering, anti-virus protection on all Microsoft Window operating systems (PCs and Servers), encryption, secure VPN remote access, set up a separate guest wireless network and force password resets. Additional tools, such as OpenDNS, provide protection against crypto locker / ransomware attacks by outright denying access to websites that are either not properly certified or have identified malware residing on them.
In 2015, Hewlett Packard Enterprise’s Annual Cyber Risk Report indicated that Microsoft Windows represented the most targeted software platform, with 42 percent of the top 20 discovered exploits directed at Microsoft platforms and applications. Therefore, it’s imperative to keep current by applying operating systems (OS) security patches regularly to reduce vulnerability and exploitation.
Even with deploying all available prudent technical protections, your organization will still have exposure to some level of risk. Therefore, we always recommend exploring Cyber Security Insurance options with your insurance broker to limit your liability and to counterbalance your exposed risk, based on the human element.
Even as you apply IT best practices to limit your exposure, be diligent as it relates to the protection of your business data, because Cybercriminals tend to seek out easy targets in exploiting their victims. This topic is worthy of a continual review with your internal team and managed IT partner.