Let’s start this with a “once upon a time” thought. Once upon a time, cybercriminals who wanted to breach your systems had to have technical knowledge and skills that enabled them to infiltrate your systems to capture your most sensitive data.
Not anymore. Now, the most effective and cheapest way for hackers to get into your system is by tricking your employees into helping do that (without their knowledge, of course) through phishing scams. Vade, a global company for AI-powered email security published its Q3 2023 Phishing and Malware Report which found that phishing volumes had “increased by 173% compared to the previous quarter (493.2 million vs. 180.4 million).”
I’ve written about the threats of cyber attacks numerous times, both on this site and on my IdeaXchange blogs where I wrote a blog on cybersecurity just this past October. Once a cybercriminal gets into your system, it can be both difficult and costly to resolve the issue.
The latest phishing schemes (or should I say, scams)
One thing is definite, as soon as the business world catches on to the latest scams and educates employees to recognize them, bad actors devise brand new ones to take their place. It’s a never-ending cyber whack-a-mole. Here are just some of the latest schemes to watch out for:
Sorry, wrong number – An employee gets a text message on their mobile device that “obviously” was supposed to be sent to someone else. As a decent person, your employee responds and the original sender (the bad actor who has already done research on your employee) starts an ongoing conversation that can seem entirely harmless. Once a relationship develops, the scammer convinces the employee to download an attachment that will help them in their business.
Juice jacking – If you’ve ever been at the airport or a mall or just about anywhere public and decided to charge your computer through the facility’s public USB port, be careful. In juice jacking, cybercriminals load malware onto the charging stations. Once a user uses the charger, he or she unintentionally is exporting personal data and passwords directly to the criminal. If the device being charged is a work device, your worker has just exposed your business to the hackers.
Payment, please – In this case, a bad actor creates and sends a fake invoice that appears to come from a known supplier indicating that the bank account or address has changed. Then they’ll ask for wire transfers or payment methods that take time to verify. If there are numerous suppliers and the company is still using manual processes, it’s easier for fake invoices to get through.
No one is immune – Even the C-suite and senior executives can fall victim to a phishing attack known as a Whale phishing. In these cases, higher level executives and those with access to financial information or other sensitive information are targeted. The target receives an email that looks like it comes from a known source and is asked to
Not so social media – Your company decides to post information on a social media site touting a new deal (possibly the signing of a new client, partner, or supplier). Using the information provided, bad actors create a social media profile pretending to be a senior official from that partner, client or supplier requesting data that they need for their own purposes.
In each of the above cases, hackers were inadvertently let into the data without your employee (or executive) ever suspecting a thing. So how can you either prevent or mitigate the damage from a cyberattack?
Ten practices to bolster cybersecurity
Protecting your company’s data against cybercriminals may seem insurmountable. To be fair, even the most tech savvy company has found their data compromised. Every business today needs an IT department or employee who is well-versed in the risks to cybersecurity. There are additional steps you can take to mitigate the damage.
- Ongoing employee training – As cybercriminals get smarter and AI becomes more difficult to detect, you need to keep educating your staff about cybersecurity risks and let them know how important it is that they report suspicious activities immediately. Teach them how to recognize phishing attempts and inform them of new ways cybercriminals are tricking employees so they will be on the lookout for such attempts.
- Regular software updates – This should be obvious but some teams may get complacent and not install the latest updates to their software and systems. It is vital that all operating systems, applications and IoT devices have the latest updates to patch any vulnerabilities.
- Network security – Implement firewalls, intrusion detection and prevention systems, and encryption protocols to secure your network and data transmissions.
- Control access – You may have too many employees with access to critical systems and data. Limit the access only to those whose job roles necessitate access. Then implement multi-factor authentication (MFA) to enhance identity verification.
- Data encryption – Encrypt sensitive data whether for internal usage or during transmission to prevent unauthorized access.
- Backup and recovery – This is something that should be done as a general practice to guard against not just cyberattacks but power outages or other potential disasters and disruptions. By backing up critical data and systems, you ensure quick recovery when the danger has passed.
- Continuous monitoring – You need to be constantly vigilant to ensure that you can detect and respond to potential threats in real time. Monitor systems and networks continuously.
- Incident response plan – You likely have a disaster mitigation plan to respond to natural disasters or some other disruption. You should devote the same amount of time to developing a comprehensive response to a cyber breach. Regularly test and update this plan since cybercriminals keep coming up with new ways to threaten your business.
- Vendor assessment – Some of the worst data breaches companies experience didn’t originate in their own company but rather from a trusted vendor. According to an article in Cybersecurity Dive, :”A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years.” The article also notes that “Third-party vendors are five times more like to exhibit poor security.” Make sure your vendors meet your high security standards.
- Physical security – Cybersecurity needs to be backed up with actual physical security when it comes to access to vehicles, data centers and other critical infrastructure.
One more thing: we’re about to enter the holiday season…besides the good cheer and holiday parties, make sure you stress to your employees that this is a prime time for scams, especially things like fake charity emails.