It’s Cybersecurity Awareness Month, and with this year’s theme, “See Yourself in Cyber,” the focus is on what individuals can do to protect the organizations they work with from the downtime, potential data (and customer) loss, reputational damage and considerable costs involved in a cyberattack. And those costs add up – now averaging $4.2M for a data breach. Ransomware attacks are out of control, increasing by 60 percent since last year, and experience has shown that paying the ransom doesn’t mean a company will get their encrypted data back.
Worse yet, the cyberattacks keep coming and are evolving in their sophistication. Many organizations, including SMBs, simply aren’t prepared. There are 30 million SMBs in the U.S., and more than 66 percent of them experienced at least one cyberattack between 2018 and 2020. According to a recent study from UpCity, only 50 percent of SMBs have put together a cybersecurity plan, and just 43 percent of small businesses say they feel they’re financially prepared for a cyberattack in 2022. This is especially alarming, since the costs and loss of business involved in an attack put many SMBs out of business, period. And once hit with a cybersecurity attack, a company goes offline for an average of 22 days, resulting in revenue losses ranging from $10,000 per hour for small businesses to more than $5 million per hour for large enterprises.
It’s not just up to the IT department anymore
Of course cybersecurity is technical, and many companies depend on their IT departments to handle it, but that doesn’t mean IT staff should shoulder cybersecurity responsibility alone. And in fact, they can’t. Smart organizations know that no one is 100 percent immune and accept that they probably won’t be able to prevent every single attack. Awareness and participation in cybersecurity best practices need to involve every member of your organization and become part of your company’s safety and privacy culture.
Because we’re all busy, pulled in multiple directions, using multiple devices and are so often in a hurry, it’s easy to overlook simple steps that can help to avoid a major a costly mistake. But a single cybersecurity breach can affect your entire organization.
Consider one of the biggest data breaches of 2021, when one stolen password allowed hackers to hack Colonial Pipeline and disrupt fuel supplies to the Southeast U.S. The attack occurred because the company was using a legacy virtual private network (VPN) that didn’t have multifactor authentication in place, which means it could be accessed via just the password without a second security step, such as a text message – a necessary process that most of today’s software employs.
In another example from this past September, hackers told the BBC that they carried out a cyberattack against Intercontinental Hotels Group (IHG) “for fun.” The hackers, a couple from Vietnam, accessed IHG’s databases and caused widespread problems for customers with bookings and check-ins – all because the couple easily found a (super) easy password: Qwerty1234. They at first wanted to attempt a ransom attack, but IHG’s IT team managed to isolate the company’s servers. So when that didn’t work to make money, they used a vindictive “wiper attack,” a type of cyberattack that irreversibly destroys data, documents and files.
Stay aware and take extra care before clicking
The FBI’s Internet Crime Complaint Center issued a public service announcement in May with updated statistics on business email compromise (BEC). These attacks use a variety of social engineering and phishing techniques to break into company accounts and trick employees – including high-level executives – into transferring large amounts of money to criminals. Between June 2016 and December 2021, the combined domestic and international losses amounted to US $43.31B. These scams frequently involve the use of social engineering techniques, such as spoofing and phishing.
Spoofing is when a criminal disguises an email address, sender name, phone number or website URL. They often feature just one letter, symbol or number that is different to convince someone they’re interacting with a trusted source. As examples, your employees might receive an email that looks like it’s from their boss, or a company they’ve done business with, such as a supplier – but it’s not.
Cyber attackers then use spoofing techniques to conduct phishing schemes and lure people to take the bait. The tricky emails might ask you to update or verify your personal or company information by replying to the email or visiting a website. In fact, 96 percent of phishing attacks arrive by email, and 74 percent of U.S. businesses have fallen victim to these attacks. Phishing has now become the most popular method of attack for hackers because it’s relatively easy to trick busy people into clicking on malicious links. And those copycat websites often disappear soon after they’re launched.
So the key is to look more closely at that URL before you click. That link inside the phishing email would take you to a spoofed website that often looks nearly identical to the real thing. If you then enter sensitive information such as passwords, credit card numbers or personal identifiable information (PII), they’ve stolen the credentials they want. Phishing has evolved to use similar techniques including vishing (scams over the phone, voice mail, or VoIP calls), smishing, which involves scams through SMS (text) messages, and pharming, scams that happen when malicious code is installed on your computer and redirects you to fake websites.
Remote work and using cloud services have also upped the chances of an attack
Because so many organizations, especially SMBs, rushed to make working from home and other locations a reality during the pandemic, a lot of security risks remain out there. The number of devices increased exponentially, creating a much larger attack surface for organizations, and making it tougher to keep a remote workforce secure. With one wrong download, a personal device can install malicious code, including spyware that can funnel company data when an employee opens business applications like email.
In addition, there’s been a huge increase in the use of cloud services, which also may not be fully secured. Now, more than ever, an organization is only as strong as its weakest link – and that can come down to one person and one bad click.
Tips to keep your cybersecurity strong
Of course you want to install firewalls to protect your organization and keep all software up to date – and patched whenever necessary. But you and your employees can also help prevent attacks by:
If your IT folks are overloaded, we can help
At Konica Minolta, our All Covered IT services division offers anti-malware protection and other solutions to thwart attacks and help you stay in business-as-usual mode. Our anti-malware services provide:
We also offer Managed Security Awareness Training to educate, train and actually phish your users so that they can develop more sophisticated cybersecurity skillsets. Our training programs help users with the safe use of email, social media, company software, data management systems and more through personalized and engaging training methods.
As Cybersecurity Awareness Month continues – and beyond – we’ll post more blogs to help you stay on top of constantly evolving cyberattacks and ways to keep your business protected. At Konica Minolta and All Covered, we’re completely committed to helping our customers stay safe from threats during the digital transformation we’re all experiencing.
Find out more about our malware protection services here.