It’s All Hacked Up
How to Detect and Ultimately Prevent Cyber Criminals from Compromising Your Business or How Poor Cyber Security is Putting Businesses at High Risk for Cyber Crime
by Craig Peterson
All businesses are at risk for cybersecurity threats. You may think your business is protected with the latest and greatest, but here’s the scary truth:
In my 30 years of experience as a global digital security expert, I’ve seen that it’s the smart, tech-savvy businesses leaders – the ones who think their cyber protocols are firmly in place – that are actually the most exposed. This was confirmed in a recent study by CBT Nuggets:
- Those who self-identified as “tech savvy” were 18 percent more likely to be victims of online identity theft than those who didn’t
- Those with PhDs fell victim more frequently than high school graduates
The Business Email Compromise (BEC)
One of the most nefarious scams out there is the “business email compromise” (BEC), an online identity theft technique that often targets company executives. Recently, Trend Micro reported that “cybercriminals fooled the CEO position most…”
Basically, the hacker sends an email as the CEO – either by phishing their email account or emailing from a look-alike domain name with one or two letters different from the company domain name – and directs other company officials to wire money for what appears to be legitimate purposes.
Tom Kemp, CEO of Centrify Corporation, a security solutions company, came close to becoming a victim of a BEC scam.
The first attempt started as an email from what looked to be Tom’s email account to the CFO (named Tim) requesting a wire transfer of over $350,000. As Tim was checking the request, Tom reported:
“Meanwhile, I finally stroll into work and Tim sees me walking by his office and asks me about me requesting a wire transfer that morning, and I say ‘huh?,’ confirming to us all that a scam was on.”
When they scrutinized the request, they saw that the sent-from email domain was just a few letters off from centrify.com (“centrilfy.com”), and were able to save themselves from being bilked out of hundreds of thousands of dollars. Since then, Tom said, “…my company and I now regularly experience various forms of sophisticated attempts to get us to transfer money to crooks.”
But many companies are not so lucky.
According to the FBI, between January 2015 and June of 2016, there was a 1,300% increase in BEC scams, affecting over 14,000 U.S. businesses for a combined loss of over $960M.
BEC is far more costly to businesses than virus attacks. The average cost of a virus attack is $700. The FBI estimates that the average cost of BEC is $67,000 – 100 times more! And yet most executives have not taken the necessary steps to protect their companies from this threat.
A Failure to Protect
What’s astounding to me is that so many businesses either think they are protected when they’re not, or deliberately continue operating protocols that they know are not secure.
Just this month, new research from Verizon found that businesses using mobile access for employees are ignoring security threats; because employees love mobile for speed and efficiency, many organizations are letting security concerns ride and prioritizing mobility above all else.
According to the report, “those that sacrificed security were 2.4-times as likely to experience data loss or downtime due to an incident involving a mobile device. This happened to 45 percent of those that put expediency and performance before mobile security.”
Companies are failing to protect at even basic levels. The survey found that “only 39 percent said they change all default passwords and more than half didn’t have a public Wi-Fi policy.”
And this is what drives me crazy: People just don’t care. Businesses take the position that it’s cheaper not to put security in place, but just to pay the cost of recovery and recompense after a hack. I’ve seen it time and again, business owners admit that they’re just too lazy and they don’t want to be inconvenienced by online security requirements.
They are turning a blind eye to the numerous and often high costs for ignoring online security: costs to reputation for lost or stolen data, financial costs from hacks like the BEC scam, lost time and productivity, legal threats by exposed clients, risk of lawsuits and fines from breaking the laws on protected data. Business leaders should care more, and they should be willing to invest in security that will save them the time, the money, and the hassle, from all of these cyber threats.
“Sure, We’re Protected”: When a Law Firm Practices Hubris
Then there are those businesses that think they are protected when they’re really not. For example, law firms. A law firm has special responsibilities for keeping client data secure. Just as medical systems must protect personally identifiable information (PII), law firms are required by law to protect attorney/client privilege and their clients’ financial information.
I have a lawyer friend who grew concerned about online security when visiting his brother’s law firm. He asked the IT team some questions about how they were protecting the network, and got only reassurances that “everything is just fine.”
Because of his prior discussions with me about security, he could tell that there were some holes – but the IT team would not hear it. So he walked out into the hallway outside the office, and using readily available hacking tools, accessed their network, wrote up a contract, inserted digital signatures from the partners, and printed it on their own printers.
When he walked back in, he had proof that the firm was not nearly as security prepared as they believed. And that was an effort by a relative amateur using tools anyone could download from the Internet.
What You Can Do About It
The examples above are not uncommon. The thing is, it’s not that hard to do something about online security. There are some simple steps you can take to protect your business, starting with a quick assessment of whether you’ve already been compromised.
You can find out if your business has been compromised by looking to see whether your employee credentials have been stolen. Detection of stolen employee credentials is one of the first steps in prevention – it should put you on-guard that an attack on your business or customers online assets is imminent.
I help my clients find this information by searching the “dark web.” The dark web is the part of the web that is hidden, not indexed by search engines, and only accessible by special software, which allows users to remain anonymous or untraceable. Our system monitors the dark web to discover if employees’ credentials, such as email addresses, usernames, and passwords, have been stolen or account hacked. If detected, we send an alert so businesses can respond swiftly, before a compromise actually happens.
I recommend taking these steps, at least to start:
- Protect against piracy with early detection of compromised employee credentials
- Monitor the dark web for stolen corporate credentials of your employees
- Safeguard the personal credentials of highly-targeted executives and privileged employees
- Receive alerts if compromised employee credentials are discovered on the dark web
Along with my work in security, I’m a member of the FBI’s InfraGard team (InfraGard is a partnership between the FBI and private businesses to protect against cyber crimes), along with Homeland Security, and I make sure to pass on what I learn to my readers and clients. You can sign up for these alerts here (link to XX).
Tell us your security concerns by sending an email to firstname.lastname@example.org.