Despite all the warnings and available security tools, cyber-attacks continue to grow at staggering rates. The number of ransomware attacks last year jumped to 638 million from 3.8 million in 2015, a 16,000 percent increase that cost victims nearly $1 billion. Business email compromises (BEC), another widespread fraud, climbed 1,300 percent since 2015, costing companies an average $140,000 per scam.
The crisis will only worsen unless businesses of all sizes adopt new strategies to protect their assets, a group of cybersecurity experts warned at CompTIA NYC Cybersecurity Skills Summit in New York City on March 1.
Those strategies, the panelists stressed, should focus on regularly scheduled simulation and live-fire exercises and include a steady stream of information to help employees identify incoming attacks and spot emerging trends.
The occasional one-size-fits-all PowerPoint presentation or a response plan that sits forgotten on a dusty shelf won’t cut it.
“You need a persistent campaign of training,” said John Dvorak, chief technology officer (CTO) of Information Innovators, a Springfield, Va.-based solution provider that was recently acquired by Salient CRGT.
Small Businesses Need Solution Providers
Several other major trends have emerged during the past year, the panelists noted. One reason behind the steep increase in attacks is that cyber-criminals are targeting small entities, such as law firms, real estate offices, banks, churches and nonprofits. Those companies can’t afford in-house security experts, nor can they afford the downtime caused by cyber-attacks.
“If the organization behind a ransomware attack charges $1,000 to unlock the data, that $1,000 could mean life or death for a small business,” said Henry Washburn, technical evangelist at Datto, a provider of total data protection solutions based in Norwalk, Conn. “The trick is to mitigate risks.”
As a result, more small businesses are turning to solution providers, including managed service providers (MSPs), for help. That trend will continue since cybersecurity experts are expensive, in demand and easily poached.
“Companies are saying ‘Our core expertise is not IT, so let’s bring in an organization that has that expertise,’” said Cindy Cullen, president of the New Jersey chapter of (ISC)², a nonprofit that provides security certification and training. “The latest trend is to outsource.”
Learn the Ways of the Wicked
But software and other tools, no matter how they’re sourced, can only go so far. The first line of defense should be educating employees who are most exposed to risk, such as those in finance, IT and human resources, about how the enemy thinks and operates.
Cyber-criminals, Dvorak explained, borrow the same well-honed skills that successful con artists have been perfecting for centuries. They patiently learn their target’s vulnerabilities and practice ways to exploit them. Unfortunately, most of us don’t know our own vulnerabilities or how to prevent them from being exploited.
“Most people don’t know the difference between a hook and a hamburger,” Dvorak said.
To illustrate how cybercriminals work, Dvorak spoke about the hottest trend in business email compromise: a new form of tax fraud where thieves steal employees’ W-2 forms and use the information to obtain their tax refunds. Dvorak recently consulted with two companies that fell victim to the scam.
The criminal takes on the identity of the company CEO or other authority figure by creating a fake but believable email address. He’ll then send the victim, who’s usually a high-level employee in finance or human resources, a series of friendly, conversational emails to establish trust. The exchanges can last for months before the criminal makes his move. The final email usually sounds something like this: “When you have a chance, kindly send me a copy of all W-2s for a quick review.”
In both of Dvorak’s cases, the criminals received the W-2s within about 15 minutes of sending the email. Hundreds of tax refunds were stolen before the company realized what had happened.
“Education is the best form of protection,” Washburn said. “It’s an opportunity for IT professionals to prove their worth and help a client understand how one email can be horrible.”
Ransomware as a Service
Clients also need help understanding ransomware. Victims opened a ransomware file every 40 seconds during last year’s third quarter, up from once every two minutes in the first quarter. Roughly 4,000 attacks are launched each day. To make matter worse, only one in five people recover their information after paying ransoms, which totaled $209 million in the first quarter of last year. Only 50 percent of all information is ever recovered, Dvorak said.
Several trends will continue to drive those numbers. One of the scariest is a new $35 “ransomware as a service” platform that includes encrypting tools and a Bitcoin ransom payment structure. The control systems behind Industrial Internet of Things (IIOT) applications are also poorly protected and serve as ripe targets for hackers.
“No matter how many security solutions are available, the threat of a cybersecurity attack keeps executives up at night,” said James Stanger, CompTIA senior director, product development.
Advice from the Experts
To protect against those threats and help those susceptible to them sleep a little better, the panelists offered these tips and strategies.
- Ransomware files can encrypt all in-house systems, including backups. Mirror all important data on remote servers.
- Establish protocols for sharing personally identifiable information (PIIs). Train employees to contact their superiors whenever they receive an unusual request.
- Offer monthly security service contracts, especially to smaller companies. They help establish a baseline for developing protocols and awareness among employees. “It’s important to get everyone on the same page,” said John Kerr, vice president of commercial cybersecurity at Federal Data Systems, an Arlington, Va.-based solution provider, who suggested avoiding large data dumps. “You can’t make it too complex.”
- The proliferation of remote, mobile and bring-your-own devices offers criminals a wealth of ripe targets. Kerr calls this “the extension of data,” and its exposure is something that keeps him up at night. “The weakest link could be almost any device,” he said.
- Use security behavioral analytics software to establish risk assessments of employees and resources. Any type of automation that allows fewer people to handle huge amount of data is helpful. Dvorak recently used the software as part of a full security campaign he conducted among a large group of employees. Of respondents, 60 percent unwittingly replied to a bogus email, exposing their company to a potential attack. By the end of the campaign, the number of responses dropped below 10 percent. “The biggest vulnerability is that staff is not prepared,” he said.
- Carefully vet all security software, said Dr. Anita D’Amico, CEO of Code Dx, a Northport, N.Y., developer of software vulnerability management tools. Web and mobile apps are especially vulnerable, she said.
- Divide security budgets among prevention, detection and response plans, allocating the most resources to the weakest piece.
In the end, the panelists agreed that it comes down to clearly and consistently communicating the right information to the right employees.
“You need to have a response plan for everyone who is susceptible to these types of scenarios,” said Risé Jacobs, senior vice president and CTO at Astoria Bank. “Just talking to them about it is not the best solution.”
Do you have something to add? Continue the conversation on Twitter with #NYCCyberSkills.