Cybersecurity incidents and breaches often result from improperly secured systems and a lack of user education and awareness, which means you can often prevent them with a more stringent cybersecurity strategy.
In 2020, the Internet Crime Complaint Center (IC3) received a record number of cyber-related complaints—more than 791,000—with losses exceeding $4 billion. The main incidents businesses and individuals reported were ransomware attacks, phishing scams, and business email compromises.
Fraudsters and cybercriminals used the global pandemic and the resulting work from home orders as a way to target individuals. Using malicious emails and fraudulent websites relating to the CARES Act and other COVID-19-related information, they often used stolen personally identifiable information (PII) found with targeted phishing emails to extort money or make illegitimate claims.
Cybercriminals also breached login credentials to virtual private networks (VPNs) or other remote access tools to gain access to systems and business data.
Headlines make it seem like breaches happen only to large organizations; however, attackers target small and midsized organizations more frequently due to their lack of sophisticated security controls. Smaller organizations of less than 250 employees have the highest targeted malicious email rate at one in 323.
The Biggest Cybersecurity Threats
It’s important to understand some of the most common cyberthreats your organization could face as you strengthen cybersecurity controls and attempt to avoid these issues.
Some of the most widespread cybersecurity threats are ransomware and phishing.
What Is Ransomware?
Ransomware is malware an attacker installs on a victim’s system via a phishing attack or infected website to lock or encrypt a victim’s data until they pay large sums of money.
Every day since 2016, more than 4,000 ransomware attacks target businesses, government systems, and home users. Spearphishing and business email compromise make up the prime vectors for these attacks to succeed.
What Is a Phishing Attack?
Email phishing is a social engineering technique that uses email to deceive end users into providing sensitive information, such as:
- Social Security numbers
- Payment card numbers
It’s also one of the main delivery methods of a ransomware attack.
A phishing email will typically use a Word, Excel, or PDF attachment to carry the ransomware program; it infects the target’s computer when you open it.
Some ransomware variants, such as WannaCry and Petya, could infect multiple systems at once and disable an organization’s operations for days, and sometimes even weeks.
What Is Business Email Compromise?
Business email compromise is a specific corollary of phishing. It’s a heightened level of deception that involves impersonation, as the attacker uses artificial intelligence to create behavioral profiles of key executives and mimic email behavior.
An employee will receive an email that asks for sensitive information like a request to switch account numbers, or to move funds from one bank to another. However, the attacker will make the email look as though it came directly from a C-level executive, which is why these attacks have also become known as CEO fraud.
Risks of a Ransomware Attack
Two common consequences of a ransomware attack are cyberextortion and data breaches.
What Is Cyberextortion?
Ransomware is the most common type of cyberextortion. Cyberextortion occurs when cyber-criminals demand payment through the use of or threat of some form of malicious activity against a victim, such as data compromise or denial-of-service attack.
Victims of ransomware usually face demands to pay criminals in bitcoin. However, reports also exist of other currencies, gift cards, and ransoms of up to several thousand dollars, with some recent payments in the millions.
Cybercriminals realize that if they keep ransom demands small and establish a reputation for handing over decryption or access keys consistently, they can earn profits of tens of thousands of dollars per month.
What Data Is Sensitive to a Data Breach?
A ransomware attack places the organization’s data at high risk, as cyberattackers can now exfiltrate. During Q2 2021, more than 80% of ransomware attacks also included the threat to leak stolen data.
The threat of leaking sensitive data to the public and to the Dark Web has become a ploy to threaten businesses with releasing potentially sensitive information.
The types of data that may be sensitive include:
- Source code. Code that houses the building blocks of any proprietary software.
- Proprietary information and systems. Databases that include trade secrets, business strategies, product designs, and even operational procedures.
- Personal identifiable information (PII). Data that could identify a specific individual and can identify, contact, or locate a particular person on its own or with other information.
- Protected health information (PHI). Information about health status, provision of health care, or health care payments that can link to a specific individual.
- Customer lists. A data set that may contain PII, contact information, proprietary research, financial information, or competitive analysis. This data is usually intended for internal use only.
There’s much debate circling the central question of a ransomware attack; if you get hit, should you pay the ransom?
According to Coveware the average ransom payment in Q1 2021 was around $220,298. This is up 43% from Q4 2020 report. This average then declined in Q2 of 2021 to $136,575; however, the costs can escalate quickly for larger organizations when infection occurs across multiple systems.
The ransom payment isn’t the only expense. For organizations hit with ransomware, approximately 71% won’t recover all of their data, according to a Kaspersky report in March 2021. Regardless of whether or not an organization pays the ransom, the amount of time and money it takes to recover from these attacks can cripple them.
When a data leak of sensitive information threatens an organization, only 50% of them opt to pay, according to a Q2 report by Coveware. The trend to pay, either when facing a data leak or not, has fallen over the past year.
The US Department of Justice recommends not paying a ransom as it doesn’t guarantee you’ll be able to recover all of your data; some victims that paid a ransom were targeted again because they paid, and paying encourages more of this cybercriminal activity.
In the end, organizations have to weigh the costs and benefits of how much money they lose each day that attackers lock them out of their systems—and determine the risk and benefits of paying.
Other Common Cybersecurity Threats
While ransomware, phishing, and data leakage represent some of the top threats organization’s face, hacking and insider threats still happen frequently. An organization’s risk assessment program needs to cover all bases.
What is Hacking?
Hacking refers to activities that seek to compromise systems. Gaining access to IT systems from outside an organization is still a cyberthreat that requires organizations to prepare. Hacking gains access to sensitive data and exfiltrates that data for profit, or just for the thrill.
Hacking uses numerous methods to try and gain access to systems, including social engineering, tricking staff into revealing usernames and passwords, or exploitation of software vulnerabilities and misconfigurations.
If a hacker can’t get through the firewall protecting a target’s network infrastructure, then they’ll move on to the next easiest place, which is the network’s applications and systems.
With the move of infrastructure and applications into the cloud, the cloud-based configuration issues have become a prime target for attackers and cybercriminals. A report by Aqua Security identified 90% of organizations have cloud misconfigurations due to lenient access control, lax storage policies, and publicly exposed assets.
Hackers can also exploit another vulnerability: outdated or unpatched software. Software companies frequently release patches, which critically secure the application’s security vulnerabilities but can take time to install.
Zero-day vulnerabilities and other software vulnerabilities can expose the application or underlying infrastructure and databases to compromise. The Ponemon Institute determined a zero-day attack directly caused 80% of all successful data breaches in 2019.
What Are Insider Threats?
Although it’s difficult to hear, most cybersecurity breaches come from inside an organization. Simply put, a person gets hired, accesses the network, and performs malicious acts like acquiring sensitive customer data and attempting to profit from its sale to cybercriminals.
Insider threats increased by 47% between 2018 and 2020. A 2021 report from Cybersecurity Insiders also states that 57% of organizations feel insider incidents have increased during the past 12 months.
Insider threats are more difficult to detect, and an employee can cause them intentionally or through negligence.
In March 2020, after termination due to the pandemic a disgruntled ex-employee hacked into the company’s systems, gained administrator privileges and deleted or changed more than 120,000 records. It caused significant delays in medical equipment delivery to health care providers.
In another example, cybercriminals saw an opportunity when many of Twitter’s staff started working from home. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators.
During these calls, they successfully persuaded some employees to disclose their account credentials. Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of approximately 130 high-profile accounts—including those belonging to Barack Obama, Joe Biden, and Kanye West—and used them to conduct a Bitcoin scam.
This incident put “vishing” (voice phishing) on the map, and reinforces the need to apply the same level of cybersecurity protection to all employees, whether they’re working on your premises or in their own homes.
The prevalence and success of cyberattacks relies on end users’ lack of education about cyber-awareness, making them the weakest link in any security program. An action as simple as clicking on an unknown website or email attachment could provide a crucial attack point.
Steps to Protect Your Organization from a Cyberattack
So how do individuals and organizations protect themselves? Training and technology.
Establish Security Awareness Training
Awareness training is a necessary first step in any security program, yet many organizations don’t take it because it requires time, resources, and commitment to a training program.
It may also require backing of an organization’s governing body, management, human resources department, and IT, which can sometimes overwhelm organizations.
Organizations should consider providing security awareness training for every new hire and instituting an annual refresher course for all employees. It’s imperative that organizations also employ other methods, such as a monthly email reminder or awareness posters in the break room, to frequently remind end users about safe computing habits.
Ensure Technology and Controls Are Current
Organizations must work to ensure their IT systems are current and include rigorous protections to deter and detect attacks.
System Maintenance Checklist
- Network infrastructure design and perimeter protections
- Anti-malware and data leakage strategy
- Security information and event management logging
- Incident response procedures
- Backup and restoration processes
The plan requires a defensive in-depth approach, which layers information security best practices and fundamentals. Multiple controls need to be in place to defend against different types of attacks or failures.
Controls to Implement
- Endpoint security
- Regular patching
- Policies and procedures
- Security awareness training
- Third-party vendor management
- Credentials and access management
- Logging and monitoring
- Backup and recovery
Once these systems and controls operate, organizations stand to benefit from annual testing by an independent and qualified third party to help ensure proper implementation.
It takes time and commitment to provide the training and technology to protect an organization, but when done properly, it can greatly reduce the risk of a cybersecurity breach.
We’re Here to Help
If you have questions about how to protect yourself against cyberthreats, please contact your Moss Adams professional.