Cyber incidents have become a major problem for large corporations, small businesses and individuals alike. No one is immune from a potential attack, which means everyone in an organization must play a role in safeguarding assets.
Tom Meehan, chief strategy officer at CONTROLTEK and a cybersecurity and loss prevention expert, recently spoke to attendees of AEM’s recently held Product Safety & Compliance Seminar about the key trends in cybersecurity, along with what he sees as the top risks for companies moving forward.
The 2022 Product Safety & Compliance and Product Liability Seminars will be held in person April 25th – 28th, 2022 at the Lincolnshire Marriott Resort in Lincolnshire, Illinois. Sign up to get the latest updates.
Ransomware remains a top threat for companies. Ransomware attacks have increased 239% since 2019. The cost for a business to recover from an attack has increased 228%.
Ransomware is a malicious software that locks computer files by encrypting them. The attacker then requests a payment (ransom) in exchange for releasing the files.
“Ransomware attacks can happen several different ways,” said Meehan. “The most common is when someone clicks on a link in an email that executes malicious code. One of the bigger problems today is that many ransomware attacks are going after solutions providers. For example, an IT services company was recently attacked, which led to several hundred customers also getting infected. This type of thing is very concerning.”
The federal government is among those who have become increasingly concerned. As Meehan pointed out, that is one positive development to emerge from the rising risk of ransomware attacks.
“The federal government now treats ransomware to the same degree it treats terrorism,” Meehan said. “With the Colonial Pipeline incident in May 2021, for instance, the federal government was able to seize 80% of the $4.5 million that was paid in bitcoin.”
That isn’t always going to be the case, however. Sometimes a company will pay a ransom, regain access to its files, and that’s that. The price tag can be quite hefty. According to Meehan, for a smaller business, a ransom is often $3,000 to $10,000, or sometimes as large as $100,000. For large companies, ransoms are typically in the millions. This leads some to wonder if paying a ransom is a good idea. According to Meehan, it could be the only option.
It is rare for a cybercriminal to not provide the encryption key after a business pays the ransom. “These ransomware groups are businesses, too,” Meehan said. “If word gets out that they don’t always give the key, they realize people will stop paying the ransoms. The decision to pay or not to pay is really a business decision. While it is generally not a good idea to negotiate with terrorists, you have to think about what happens if your business is shut down for four or five days, if not longer. That probably isn’t feasible.”
There are a couple of key actions a business can do to protect itself against ransomware attacks.
Don’t click it. As Meehan noted, some of the same advice that existed 20 years ago is still valuable today. “If you get an unexpected email, don’t click on links or open attachments. If I get something unexpected, I’ll often text the sender to make sure they had sent it. Taking an extra 30 seconds to validate an email is always a good use of time,” Meehan stated.
Stay up to date. Meehan said companies running outdated IT systems likely have inadequate protection. Cybercriminals actually scan job websites to search for companies hiring programmers with experience using COBOL, an old programming language that remains in use by many companies today. Even outdated versions of Windows or macOS can increase a company’s risk if patches (updates) are no longer being written.
“As 5G networks are built, the number of connected IoT (internet of things) devices and sensors will continue to expand,” Meehan said. “This creates network vulnerabilities to large-scale attacks. The more connected you are, the more vulnerable you become because your digital footprint expands.”
According to Meehan, this will become a company’s greatest cyber risk over the next five years.
“All of these connected products create entry points into your network,” Meehan explained. “Even if an IoT device doesn’t necessarily create an intrusion point into your network, it could create a disruption point for your business.”
Meehan said it is important to ensure that any connected device is made by a reputable company and is patchable. Companies should also make sure someone is managing the lifecycle of their IoT devices. “Something purchased five years ago might not be patchable in another three years,” Meehan explained. “It’s important for someone to be responsible for recognizing the end of life of certain devices.”
Another risk with 5G derives from its greatest benefit: speed. Attackers can get in and out of a network much faster. Cybersecurity professionals are studying various IoT devices for signs of backdoors and other vulnerabilities. “Companies should be looking into the need to update their network encryption because a lot of what is being used today is outdated,” Meehan said.
Employees working from home has obviously become a bigger risk over the past year. According to Meehan, cybercriminals are taking advantage of misconfigured cloud security measures and insecure home networks and devices. Again, it’s about digital footprint. “Even when you have a headset or phone connected to your computer, you’re creating another potential entry point,” Meehan pointed out.
Due to these vulnerabilities, remote workers are often the target of phishing scams via email, text, voice and third-party apps. Remote workers must remain vigilant. (More on phishing below).
Another piece of advice from Meehan is to avoid “crossing over” devices. For instance, resist the urge to let one of the kids jump on your work computer for a few minutes. Likewise, refrain from using your work computer for your own personal reasons. Every website visited and email opened could pose a risk.
Phishing is still a widely utilized tactic by cybercriminals — and not just for targeting remote workers.
One type of phishing email is made to look like a legitimate email from an organization or individual. The objective is to make the recipient feel comfortable and let their guard down, ultimately resulting in a clicked link, downloaded attachment or divulgence of personal information.
Phishing emails are often based on timely topics, which lately have included package tracking and vaccine-related information. Attackers can use bots to send thousands of automated emails.
Meehan said there is another type of phishing that has become quite popular. Instead of sending to large numbers of people, spear phishing is highly targeted. An example is an email about a specific topic or even project sent to a specific group of people, often colleagues. The goal is to entice one of the recipients to click a link or divulge information.
“Spear phishing attacks aren’t necessarily for ransomware,” Meehan pointed out. “In many cases, spear phishers just want to be able to monitor what you’re doing and get information like log-in credentials.” For instance, you initiate a wire transfer. Later that day, an attacker sends an official-looking email asking for the wire to be redirected to a different bank account.
“Spear phishing is also a widely used tactic over the phone,” Meehan said. “Whatever the case, never give out credentials and always use two-factor authentication.”
Social engineering is an offshoot of phishing that focuses on manipulating people to give up confidential information. According to Meehan, it accounts for more than 80% of reported cyber incidents. Furthermore, roughly 90% of organizations reported a social engineering attack within the past year.
“These attackers are the modern-day con artists,” Meehan said. “They try to get a conversation started to build trust. Some even go to job interviews to learn more about a company before initiating their attack.”
Social engineering is a popular tactic for phone attacks, but is also used in emails.
“Email filters have matured and can sometimes identify social engineering emails,” Meehan said. “User awareness campaigns also play a big role. Organizations need ongoing training to help employees spot the latest techniques being used by cybercriminals.”
According to Meehan, 75% of cyber incidents originate from within the company. Furthermore, 40% start with an employee, often after falling victim to a phishing or social engineering scam.
“Insider threats can also be other people with access to your offices and computers, including contractors and security guards,” Meehan pointed out. “This is really important to note because this is something a company can control.”
Another thing a company can control is its insurance coverage. Meehan said cyber insurance has become a necessity today. But obtaining coverage isn’t enough. Companies must go through their policies with a fine-tooth comb.
“In the past, cyber insurance was just about mitigating the costs of identification and recovery,” Meehan related. “Now companies must also think about liability, especially if customer data includes more than just company name. It’s important to make sure a policy also covers everything you might need it to, from compromised emails to ransomware.”
“Do it once, do it right, do it globally” has been the longstanding motto of AEM’s Safety & Product Leadership Department, and it guides efforts to address ever-increasing global demands on equipment manufacturers to develop machines that are safe, productive and compliant. To learn more about AEM’s Safety & Product Leadership activities, visit https://www.aem.org/safety-product-leadership. To learn more about AEM’s Product Safety & Compliance Seminar, visit https://www.aem.org/events/conferences-and-webinars/product-safety-compliance-product-liability.
For more perspectives from industry experts, subscribe to the AEM Industry Advisor.