There was a time when phishing emails were easily identifiable. Marked by broken English and an outlandish story, computer users could easily identify when someone was trying to scam them and hit the “delete” button instead.
The problem for businesses now is that cybersecurity threats are becoming more sophisticated and the number of connected devices continues to rise.
The threat of a cybersecurity attack is spread across all industries, from manufacturing, to retail, to health care, to banking.
The best starting place for protection is to consider the unique risks for an individual business and work from there, said Mike Block, vice president, information security officer at Wauwatosa-based The Equitable Bank and president of the Information Systems Security Association’s Milwaukee chapter.
An education or training program is also a good place to start.
“You have to have a knowledgeable workforce to be able to avoid some of the more common pitfalls,” Block said.
Those pitfalls include ransomware, malware, phishing schemes, unpatched machines, a lack of segmentation, wire transfer fraud and stolen sensitive files. While some attacks are easier to defend against than others, Block and Mark Shelhart, Sikich LLP senior manager for incident response and forensics in security and compliance practice, say education and some basic steps can go a long way.
Both said educational programs cannot be only an annual occurrence. Block said he holds them on a quarterly basis and Shelhart recommended holding them monthly.
The simple advice these programs give users: Don’t click on links or email attachments when you’re not sure of the origin. Even that advice can fall short, though, as attackers have taken to stealing logos, spoofing email addresses and embedding links inside messages, Block said.
He recommends using real examples of scam attempts to show employees what the latest attacks look like.
“Instead of trusting everything, you may have just a little edge of suspicion because you’ve seen what some of the bad stuff looks like,” Block said.
Shelhart said being aware and paying attention to details are important. Even small subtleties in language can be a clue. In one case, a potential wire fraud case was stopped because the attacker, posing as an executive, used the word “please” and the accountant felt it was out of character and became suspicious, Shelhart said.
Wire transfer fraud is among the growing cybersecurity threats, according to the FBI’s Internet Crime Complaint Center. The center says there have been more than 22,000 domestic and international victims of business email comprise, which often includes requests for wire transfers.
Those victims have an exposed loss, either actual or attempted, of almost $3.1 billion, including $960.7 million for U.S. companies, between October 2013 and May 2016. The center says it has seen a 1,300 percent increase in identified exposed loses since January 2015 and victims range from small to large companies.
These attacks, where a scammer poses as an executive or someone outside the company, involve a request for money to be transferred and often include some sense of urgency. In the past, the attacks involved smaller dollar amounts of less than $10,000, but Shelhart said scammers have increasingly gone after larger amounts.
The best defense is to implement protocols that go outside the email chain, Shelhart said. That might involve a phone call between the parties involved or a passcode, which shouldn’t be shared via email. Shelhart said it might be best to avoid doing the wire transfer altogether, if possible. It may be inconvenient to drive 20 miles, he said, but the potential to save money and headaches is worth it.
An educated and alert workforce can stop a lot of attacks, but Shelhart and Block also said the way a network is set up can go a long way in preventing problems.
Block said that means having proper defensive techniques, like firewalls, and “constantly and effectively” patching operating systems.
Shelhart said larger devices can pose a danger to a network because they aren’t always updated on a regular basis. These machines can include surgical robots, laser cutting machines, ticketing machines in a parking garage, a juke box in a bar, camera systems and card access systems.
These machines are often updated and serviced by an outside vendor, according to Shelhart. It is important to build patching or updates into the contract when purchasing the device to make sure it will be handled. While the devices will often need a network connection, he said the answer isn’t to put it on the main network, but instead spend a small amount of money to set up its own network.
Devices should be segmented across the organization. Shelhart said having a setup in which the accounting department and the factory floor are on the same network can cause problems. Employees may not realize they are all interconnected, but the malware or virus will be able to find its way from one area to another.
Putting a firewall between different departments can help prevent and stop attacks. Shelhart said it is a lot like going to a hotel, university or large company and finding both corporate and guest WiFi networks.
“You need to apply that to your (internal) network as well,” he said.
Setting up slightly different networks for each department may seem like extra work, especially for smaller companies. Shelhart said smaller firms where responsibilities aren’t substantially divided up may be able to get away with not segmenting.
“If you’re at the point where you’re subdividing where people sit, you should also be subdividing the firewall,” he said.
At the same time, Shelhart said smaller and mid-size companies are often prime targets for attackers because they don’t have as many resources dedicated to security.
Questions to consider:
- Are employees regularly educated on the latest cybersecurity threats?
- Are machines serviced by outside vendors properly protected?
- Should departments be segmented onto their own networks?
- Are there proper protocols in place for wire transfers?
Resources:
- https://www.dhs.gov/stopthinkconnect
- https://www.consumer.ftc.gov/
- https://www.us-cert.gov/
- http://www.krebsonsecurity.com/