Companies of all sizes can mitigate threat of, damages from cyber attacks
By John C. Stevenson
High-profile cybersecurity breaches easily get top billing on the nightly news, but information and security specialists worry that small- to midsize businesses may not have the financial wherewithal or even the accurate information needed to mount a proper defense against cyber criminals.
One of the most startling cyber breaches occurred in 2013, when retail giant Target was hacked, exposing the sensitive information of more than 40 million people, including names, mailing and email addresses, telephone numbers and credit and debit card details. In addition to the cost of mitigating the breach, Target paid more than $18 million to settle legal claims against the business.
The way the Target hack worked is worrisome to security experts because the retailer’s systems were infiltrated not from the outside, but from inside the company’s cyber defenses.
“What happened (with Target) was their air conditioning vendor had connections inside of (Target’s) network and somebody managed to breach the security of the air conditioning vendor,” said Richard Brooks, Clemson University professor of electrical and computer engineering. “That’s part of the problem, no matter how good your security is: Buildings are a big issue, because the air conditioning, elevators, building security systems are also connected to the internet and then that’s one way that people can get around the security you have.”
From the IT Department to the C-Suite
The rising complexity of the threats, not to mention the costs of mitigating a cyber breach, have changed the way large corporations like Target address cybersecurity.
“In large corporations, it has gone from being an IT issue to being an issue that is addressed in the C-suite to an issue that is routinely discussed with the company’s board of directors. It’s an issue that has risen to that level,” said Robert Hartwig, clinical associate professor, finance department director and co-director of the Risk and Uncertainty Management Center of the Darla Moore School of Business at the University of South Carolina. “CEOs understand that they literally could lose their jobs over poorly handled cyber incidents. It’s become personal for them.”
Hartwig said awareness of the need for cybersecurity has “evolved rapidly” over the last decade as cybercrimes have “cost corporations trillions,” while millions of customers’ records have been compromised.
“There’s no such thing as sitting on your laurels in risk management,” Hartwig said. “And cyber is probably the most illustrative of that point because cyber risk is dynamic in the sense that, if you’re a business that’s invested heavily in the latest firewalls, the latest training for employees, the latest software to prevent attacks, the latest controls – your enemy will adapt and change and before long those techniques that worked a year or two ago will likely be only partially effective.”
But cybersecurity concerns don’t affect only businesses. In the Lowcountry, to ensure the continued security of ports such as Charleston, the Army Cyber Institute at Georgia Southern University recently conducted simulated cyberattacks at the ports of Charleston and Savannah, Ga., using the ACI’s Jack Voltaic 3.0 model of focused research on both critical infrastructure and public/private partnerships. According to reports, the scenario-based exercise utilized malware and ransomware attacks to test readiness, as well as a number of emergency scenarios. The digital-security simulations included using malware and ransomware attacks to cause simulated power outages.
According to the ACI website, “by conducting Jack Voltaic 3.0, both cities had an opportunity to rehearse, refine, and demonstrate their cyber-response capabilities through multi-echelon partnerships.”
Smaller Companies Not Invulnerable
The increasing pervasiveness of cybercrimes has caused experts to have growing concerns not just for Fortune 500 businesses, but also for smaller companies.
“Where the challenge exists is among medium- and smaller-size companies,” Hartwig said. “They’ve certainly heard about companies that have been impacted by cyberattacks and that their businesses have suffered as a result, but at the same time, we see complacency within small- to medium-size enterprises. It’s not that they don’t recognize there’s a risk, but there’s a tendency to downplay the likelihood of that risk having a meaningful impact on you.”
One cyberattack that is proving challenging for companies of all sizes is the hacker practice of phishing. In phishing attacks, the hacker sends out emails, with attachments, to a company’s employees. Often, these emails are made to look like legitimate business, but when the employee clicks on the attachment, it creates the opportunity for a wide range of nefarious actions. The document can infect one computer or entire networks with malware, viruses, ransomware or other malicious programs that were hidden in the email or its attachment.
Clemson’s Brooks suggested that many companies are given to taking the wrong action when faced with a phishing attack.
“Those have gotten to be so good that it’s asking too much of employees to differentiate between” phishing emails and legitimate correspondence, Brooks said. In one instance of a successful phishing attack, Brooks said hackers sent emails out to a business that purported to be from the business’s HR department.
“It said, ‘we’ve changed our human resources policies; here’s the new document,’ and it was linked to a PDF,” he explained.
Brooks said that while PDF files are usually thought of as innocuous, it’s possible to embed malicious programs within PDF documents. Further, he said it’s no longer sufficient to blame employees for responding to these phishing attacks.
“I’m sorry, but people will say ‘it’s the employee’s fault,’ and ‘you shouldn’t click on those things,’ but anyone who works for any company would be used to getting human resources emails that say ‘oh, here’s our new policy,’ and ‘here’s the URL.’ It’s easy to forge the addresses, and if you get an email like that, there’s no way for an ordinary employee to differentiate.”
He said one way that companies can deflect such phishing attacks is to refrain from sending emails with documents attached. Brooks also said that other methods, like using the latest technology for encrypting and signing emails and documents, can help minimize the risks associated with email attacks.
Clemson University associate professor Kelly Caine also stressed the importance of companies creating a culture of awareness for all employees, one in which they feel free to ask questions first.
“If you’re pressuring people to work so quickly that they’re not allowed to have time to consider whether behavior is risky or not, you’re going to put your company at a higher risk for security incidents,” said Caine, associate professor in the Human-Centered Computing Division of the School of Computing at Clemson. “On the other hand, if your team understands that if they think something is at all fishy – if something strikes them slightly the wrong way – they’re rewarded for bringing that to the attention of IT, you’re going to have a lot more secure outcomes, rather than if they were docked in some way for taking the time to act in a secure way.”
Pandemic Increases Risks
Caine also said the 2020 Covid-19 pandemic, which has driven an increase in the number of people working remotely rather than reporting to a brick-and-mortar office, has exacerbated a host of security issues revolving around cross-device attacks.
“It’s like any kind of scam,” Caine said. “It can be a scam that comes via your email, it can be a scam that comes from someone calling you on the phone. Malicious actors can try to trick you in a variety of different ways. Your computer can become insecure via an attack that comes via a call to your cell phone. I think that’s something that we don’t often think about: the cross-device attacks. It may not be an email that comes to you, but it could be a text message or a phone call you get that’s trying to collect some piece of information that would then leave you vulnerable to being hacked.”
Indeed, with so many employees working from home, businesses have seen the risks of a successful cyber breach “skyrocket,” according to Michael Holcomb, an Upstate information security professional who is president and founder of the Greenville chapter of the International Security Systems Association.
“It’s important for employers to train their employees to help them keep safe at home,” Holcomb said. “We’re seeing three, four times the attacks now than we did pre-Covid. Now, a company’s users are sitting at home, and they don’t have those millions of dollars in security controls that we have, or any of the controls that any organization has. They’re used to sitting in the fortress behind all the walls and the security controls to protect them from all the bad stuff that’s out on the internet, and now they’re at home, and if they’re not on their (virtual private network), then all those protections go bye-bye.”
In addition to phishing attacks, Holcomb said businesses continue to face evolving threats from hackers using ransomware to hijack a company’s information or even computers and entire networks and demand payment for its release.
“Now where we see active attackers in the ransomware world, ransomware 2.0 is where these hackers are much more non-nontraditional – they’re not encrypting your files and your network, they’re actually spreading control and looking for data. They exfiltrate the data off of the network and over the internet, then they might come back and encrypt all your systems and say ‘hey, if you want your systems back, you have to pay us, and oh, by the way, we made a copy of all your system’s data. If you don’t want us to publish this to the world, then you need to pay us, regardless.”
Another problem exacerbated by the ongoing pandemic is a spike in digital fraud, according to a recently released report by Javelin Strategy and Research and SAS. According to the report, which examined information from January through September, 2020, the pandemic has been a boon for mobile apps, with U.S. mobile banking alone showing a 50 percent rise in usage during the first half of the year.
But the rise in app usage has also come with a significant uptick in attempts of digital fraud, with one of the executives who contributed to the report noting that his company has seen an increase of almost 35 percent in fraud attempts.
Among the study’s key findings: the use of digital payments represents a growing global risk for businesses; digital fraud is increasing in both frequency and sophistication as bad actors find new ways to exploit weaknesses; and that to successfully combat fraud attempts, financial-services organizations need layered technology and analytic capabilities to identify overlapping threats in real time.
Mitigating the risk
“Businesses have to accept the fact – and small- and medium-size businesses in particular – that there are risks, and then begin that risk-management process that will lower the likelihood of a successful attack, and if there is an attack, will lower the severity – in other words, the cost or the duration of that event,” Hartwig said. And that is where an increasing number of resources are available to small- and medium-size businesses.”
One popular resource is a classic for risk management that’s working to find new solutions – insurance. Hartwig said insurance providers are now offering solutions to help protect businesses from the financial impact of successful cyberattacks.
“Most insurers today that offer cyber coverage, it’s a hybrid product,” Hartwig said. “The insurer’s not simply selling you cyber insurance to cover you for any losses you might sustain in the event of a cyberattack.”
Added Hartwig: “When you buy cyber coverage from an insurer, you’re really buying a package or a suite of products that usually begins with an assessment of your current cyber defenses and vulnerabilities (assessing the risk), so insurers are partnering with companies that are expert in identifying risks in technology infrastructures.
“Then recommendations will be made in conjunction with the firm making the assessments. Then after that, the insurer can offer a policy for any cost that might arise from an event that might occur. Hopefully, after you adopt the suggestions of the cyber firm, it’s less likely that there will be a successful attack, and that will keep your premium down, of course.”