Editors’ Note: In times of crisis, cybercrime can be exponentially higher than usual. To help protect your practice, Incisor is kicking off a new series on cybersecurity, with tips you can employ now and in the days ahead.
About a year ago, I was in Pennsylvania to work with a small business that had been attacked by a cybercriminal. The attack consisted of subverting the desktop computer of a manager and using his email account to send authoritative emails to the clients of the company. The email was an informational note to all of their customers letting them know that the company had changed their collections to electronic Automated Clearing House (ACH) payments.
The black-hat hacker was very “helpful” to include the instructions and the new ACH number so that all customers could make payments easily.
By the time the fraudulent email was discovered, my clients had lost over $10,000 dollars. But it could have been worse because this small business customer of mine hadn’t even known about the threat until one of their customers called in to ask, “why the change?”
There are municipal organizations that would love to have only a simple $10,000 bill like my customer in Pennsylvania, as they have been targeted for ransomware attacks. Regarding ransomware attacks, Cnet[i] reports of 2019 that “Attacks spiked this year, with more than 70 state and local governments hit with ransomware,” pointing out that Atlanta paid $2.6 million to restore their systems.
Smaller municipalities have not been able to afford to pay the ransom, and have had to rebuild from scratch, bringing municipal services to a halt.
A Colorado company that provided IT services for about 100 dental practices, “was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil[ii]” to be installed on computers at more than 100 dentistry businesses.” This was an attack that likely cost a total of more than a million dollars.
In a different incident, an organization that handles data backup for dentists was attacked by ransomware. The “ransomware encrypted files for approximate 400 dental practices,” making the files inaccessible to all of those dentists and creating a reportable HIPAA data breach.
I could go on about these types of targeted attacks, but what is most important is what to do about it, how to stop the main vector for most small business attacks.
So, let’s change pace and discuss the number one cybersecurity threat facing small businesses, with a focus on solutions.
Ransomware locks you out of your files and hackers demand a "ransom" sum of money to return access to you. Phishing, on the other hand, can open your computer files for hackers to download and exploit.
Threat number one: Phishing—The problem
From ransomware, to APTs (Advanced Persistent Threats), to malware such as back doors, and remote access trojans, the most common attack vector is through our email systems.
This is the CTO, Robert Jones. It is of utmost importance that you respond immediately to save this deal while I am overseas in Brussels…
These attacks can be personal, targeted, use common-looking interfaces from Adobe, Microsoft, Dropbox, or another cloud vendors. They can look like they originated from within your organization. They can even happen during a LinkedIn session.
Phishing attacks are a class of social engineering that takes advantage of features in our own operating system, the human mind. In today’s digital culture, users want to click on links and often do so without thinking of the dangers.
Last year, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021[iii] and too much of that can come from your organization if you fail to combat phishing.
Threat number one Phishing—The Solution
The “solution” to phishing requires a lot of up-front work and constant vigilance. In many cases, the investment in this area can be hard to see because it is measured in “didn’ts” and “don’ts”
The Didn’ts and Don’ts
- The backdoor installed on Fred’s computer allowing 400 customer records to be stolen that didn’t happen.
- The Ransomware attack that brought your organization down for 3 weeks, losing you 40% of your customer base and costing $700,000 that didn’t happen.
- The worm attack that you don’t see.
- The virus attack that you don’t see
All it takes is one breach to lose money, reputation, and even your practice, so let’s look at some of what can be done to defend against the coming phishing attacks against your organization.
Steps to take in 2020
- Lock down your network.
- Lower privilege. Do not allow any employee to stay logged in with a local administrator or a domain admin account.
- Make sure all operating systems, apps, and devices stay up-to-date with the latest vendor updates. Automate it as much as possible. This includes all equipment that uses software or firmware.
- Have automated and maintained endpoint protection. This is your antivirus/antimalware software. Do not skimp on this. It needs to guard against viruses, worms, ransomware, zero-day (unknown) threats, suspicious activity, rootkits, botnets, et
- Encrypt as much as possible. Mandatory VPNs for all wireless communications, encrypt customer and personal data, encrypt storage and disk/solid-state storage.
- Harden each class of workstation from user systems to equipment-connected systems according to manufacturer specifications.
- Only use long passphrases for passwords on all systems and use 2-factor authentication wherever possible.
- Physically protect equipment, workstations, and devices through alarms, locks, guards, etc.
- Upgrade your employees
- Have periodic (e.g. quarterly) meetings and campaigns to educate your employees about what phishing is and how it looks.
- Test your employees constantly using internal test phishing campaign software like Infosec IQ, or Ohphish (an EC Council Company).
- Train your employees, temp workers, and associates in basic computer security. Require a basic certification for every employee. Require that certification be maintained.
- Do not forget voice phishing and impersonation. It is important that your front desk personnel challenge all people even if they are wearing a uniform or are carrying a ladder (like the funny YouTube skit, “Can you get in anywhere with a ladder?”).
- Engage cybersecurity professionals (when you can). You will need them to help you navigate the points I make above, and those that I have left out for the sake of time. It is imperative that you schedule a periodic penetration test, where a cybersecurity professional will attempt to hack your systems in a controlled setting and using well-known standards.
- Review your business insurance with legal counsel, and make sure that it covers cybersecurity crime. If it does not, upgrade or change it.
I often tell my students and customers, that this is not a Ronco situation, you can’t just “set it and forget it.” Cybersecurity is something you and your organization need to constantly keep in focus. Because even though it might not be your area of expertise, there are many resources you can use to make sure that something phishy doesn’t harm your organization.
Kevin King is a Certified Security Analyst, and holds many IT and Cybersecurity Certifications. He teaches ethical hacking and does security and infrastructure consulting.