Source: Association of Equipment Manufacturers (AEM); Published by: Exhibit City News Staff
Cyber incidents have become a major problem for large corporations, small businesses and individuals alike. No one is immune from a potential attack, which means everyone in an organization must play a role in safeguarding assets. Tom Meehan, chief strategy officer at CONTROLTEK and a cybersecurity and loss prevention expert, recently spoke to attendees of AEM’s 2021 Product Safety & Compliance Seminar about the key trends in cybersecurity, along with what he sees as the top risks for companies moving forward.
Ransomware remains a top threat for companies. Ransomware is a malicious software that locks computer files by encrypting them. The attacker then requests a payment (ransom) in exchange for releasing the files. Ransomware attacks have increased 239% since 2019. The cost for a business to recover from an attack has increased 228%.
“Ransomware attacks can happen several different ways,” says Meehan. “The most common is when someone clicks on a link in an email that executes malicious code. One of the bigger problems today is that many ransomware attacks are going after solutions providers. For example, an IT services company was recently attacked, which led to several hundred customers also getting infected. This type of thing is very concerning.”
The federal government is among those who have become increasingly concerned. As Meehan pointed out, that is one positive development to emerge from the rising risk of ransomware attacks.
“The federal government now treats ransomware to the same degree it treats terrorism,” Meehan says. “With the Colonial Pipeline incident in May 2021, for instance, the federal government was able to seize 80% of the $4.5 million that was paid in bitcoin.”
There are a couple of key actions a business can do to protect itself against ransomware attacks.
Don’t click it: As Meehan noted, some of the same advice that existed 20 years ago is still valuable today. “If you get an unexpected email, don’t click on links or open attachments. If I get something unexpected, I’ll often text the sender to make sure they had sent it. Taking an extra 30 seconds to validate an email is always a good use of time,” Meehan states.
Stay up to date: Meehan said companies running outdated IT systems likely have inadequate protection. Cybercriminals actually scan job websites to search for companies hiring programmers with experience using COBOL, an old programming language that remains in use by many companies today. Even outdated versions of Windows or macOS can increase a company’s risk if patches (updates) are no longer being written.
“As 5G networks are built, the number of connected IoT (internet of things) devices and sensors will continue to expand,” Meehan says. “This creates network vulnerabilities to large-scale attacks. The more connected you are, the more vulnerable you become because your digital footprint expands.”
According to Meehan, this will become a company’s greatest cyber risk over the next five years.
“All of these connected products create entry points into your network,” Meehan explains. “Even if an IoT device doesn’t necessarily create an intrusion point into your network, it could create a disruption point for your business.”
Meehan said it is important to ensure that any connected device is made by a reputable company and is patchable. Companies should also make sure someone is managing the lifecycle of their IoT devices. “Something purchased five years ago might not be patchable in another three years,” Meehan explains. “It’s important for someone to be responsible for recognizing the end of life of certain devices.”
Employees working from home has obviously become a bigger risk over the past year. According to Meehan, cybercriminals are taking advantage of misconfigured cloud security measures and insecure home networks and devices. Again, it’s about digital footprint. “Even when you have a headset or phone connected to your computer, you’re creating another potential entry point,” Meehan pointed out.
Due to these vulnerabilities, remote workers are often the target of phishing scams via email, text, voice and third-party apps. Remote workers must remain vigilant. (More on phishing below).
Another piece of advice from Meehan is to avoid “crossing over” devices. For instance, resist the urge to let one of the kids jump on your work computer for a few minutes. Likewise, refrain from using your work computer for your own personal reasons. Every website visited and email opened could pose a risk.
Phishing is still a widely utilized tactic by cybercriminals — and not just for targeting remote workers.
One type of phishing email is made to look like a legitimate email from an organization or individual. The objective is to make the recipient feel comfortable and let their guard down, ultimately resulting in a clicked link, downloaded attachment or divulgence of personal information.
Phishing emails are often based on timely topics, which lately have included package tracking and vaccine-related information. Attackers can use bots to send thousands of automated emails.
Meehan said there is another type of phishing that has become quite popular. Instead of sending to large numbers of people, spear phishing is highly targeted. An example is an email about a specific topic or even project sent to a specific group of people, often colleagues. The goal is to entice one of the recipients to click a link or divulge information.
According to Meehan, 75% of cyber incidents originate from within the company. Furthermore, 40% start with an employee, often after falling victim to a phishing or social engineering scam.
“Insider threats can also be other people with access to your offices and computers, including contractors and security guards,” Meehan pointed out. “This is really important to note because this is something a company can control.”
Another thing a company can control is its insurance coverage. Meehan said cyber insurance has become a necessity today. But obtaining coverage isn’t enough. Companies must go through their policies with a fine-toothed comb.
“In the past, cyber insurance was just about mitigating the costs of identification and recovery,” Meehan related. “Now companies must also think about liability, especially if customer data includes more than just company name. It’s important to make sure a policy also covers everything you might need it to, from compromised emails to ransomware.”