From Zoom meetings and remote workforces to socially-distant corporate events and conferences, this past year has been like no other for New Jersey business owners. As the COVID-19 pandemic has forced many employers to turn to virtual options to continue their operations, there has also been a significant spike in cybersecurity issues.
“Just over a year into this unprecedented pandemic, cyber risk – over 90% of which can be attributed to email-borne phishing attacks – has never been greater,” says Dave Wreski, CEO of Guardian Digital, Inc. He notes that there has been a 600% increase in phishing attacks due to COVID-19, and users are now three times more likely to click on a malicious link embedded in a phishing email (and ultimately disclose their account credentials) than they were pre-COVID.
“Credential theft due to phishing can have a devastating impact on a company and its clients, often leading to account takeovers, the exposure of sensitive data, and serious reputation damage,” Wreski adds, noting that Guardian Digital’s EnGarde Cloud Email Security program identified and quarantined more phishing emails in 2020 than in any year prior since the company’s founding in 1999.
Rashaad Bajwa, CEO of Domain Technology Partners, agrees that having a large amount of your workforce operating remotely and accessing confidential company files via home computers and mobile phones can often be a recipe for disaster. He notes that he has seen ransomware gang activity continue to accelerate over the past year. This is primarily due to the challenges of properly securing employees working from home, along with sky high Bitcoin prices, which has made ransomware more prominent and lucrative than ever.
“When everybody is working from home there are more distractions and fewer safeguards to keep users from clicking on malicious links. Rather than upgrade their networks to secure remote workers, a lot of offices simply lowered barriers and opened up access to remote users,” he explains. “Unfortunately, the remote users weren’t always employees, but malicious actors looking for vulnerable networks.”
One of the greatest cybersecurity threats to a business remains ransomware, which has become a top priority among government agencies – like the Cybersecurity and Infrastructure Security Agency (CISA) and US Department of Homeland Security – due to the significant impact that attacks continue to have on organizations worldwide. According to Wreski, a successful ransomware attack often results in significant costly downtime, lost data and files, and severely damaged client trust.
“Small- and medium-sized businesses are an especially popular target among ransomware operators, who recognize that these companies often lack the cybersecurity resources and expertise required to repel an attack,” he adds. Wreski notes that only 29% of these businesses have experience with ransomware, making them more likely to be unprepared for the threat, while 60% of businesses that get hit with ransomware are forced out of business within six months of the attack.
“CEOs should continually ask themselves if their company could survive a cyber attack, and understand what the reputational harm and impact to revenues could be,” says John Gomez, CEO of Sensato.
In May, a cyber-criminal gang successfully took a major US fuel pipeline, which carries some 2.5 million barrels per day, offline. This represented 45% of the East Coast’s supply of diesel, petrol and jet fuel. This incident with Colonial Pipeline is being considered one of the most significant attacks on critical national infrastructure in history. “The pipeline attack we just saw is just one example of how impactful these types of cyber attacks can be,” Gomez says.
Unfortunately, many businesses – particularly those small and mid-sized – continue to face other significant, growing challenges when it comes to cybersecurity. Wreski explains that they often lack the IT resources and cybersecurity expertise required to combat today’s advanced cyber threats like targeted spear phishing and, of course, ransomware. “In addition, the increase in remote workers has created far more endpoints – such as laptops and mobile phones – than ever before, many of which lack adequate security defenses, have not been updated, or are connected to insecure networks,” he adds.
The COVID-19 pandemic has also created some unique opportunities for hackers to access secure corporate information. “There are now all of these apps popping up that people think are trustworthy because they appear to be from the government, a hospital or other healthcare provider, such as some sort of COVID symptom checker or tracker, but then it actually turns out to be malware,” Gomez says. “It’s become a great way for hackers to spy on your employees and gain access into your company’s corporate environment.”
So, what should businesses do to protect themselves from cyber attacks? For starters, Bajwa recommends that all remote work solutions be secured with a virtual private network or multifactor authentication (MFA), or both, ideally. While multifactor authentication to log into work systems used to cost upwards of tens of thousands of dollars to implement, there are now low-cost or even free MFA tokens available via Microsoft or Google Authenticator to allow businesses the opportunity to access this extra layer of protection against a cyber attack.
“With daily reports of passwords being stolen from websites all over the world, it’s not a matter of if your credentials will be stolen, but when,” Bajwa asserts. “Multifactor authentication ensures that even with a stolen password, bad actors can’t access your network unless they also have physical access and log in to your mobile phone. These additional layers of security are increasingly becoming the only relatively secure way to provide remote access without asking for a security incident.”
Gomez warns that many companies still don’t recognize the reality of cyber attacks and the level of sophistication that hackers often have. “Many people still think that a cyber attacker or hacker is a college drop-out who’s living in their parents’ basement and has nothing else to do, but unfortunately that image was the reality 10 to 15 years ago,” he says. “Today’s hackers have attended notable universities and possess advanced degrees, and they’re signing on with criminal organizations offering them everything from salaries and bonuses to benefits and vacation time.”
To that end, Bajwa also advises business owners to routinely check their backup solutions, invest in cybersecurity insurance, and follow the rule of least privilege so that users have only the minimal amount of permissions needed to perform their job. And, of course, it’s always a good idea for companies to have a third party look into their cybersecurity defenses.
“If you give everyone the keys to the castle, they can create a lot more damage than if they only have access to their local sandbox of resources,” he says. It’s also important for business owners to take the time to educate their employees about how to prevent cyber attacks and ensure that their workforce is aware of how to identify something that doesn’t seem right or could lead to a compromise.
“The financial and reputational cost of ignoring your cyber risk these days can pose an existential risk to your business,” Bajwa concludes. “When it comes to cybersecurity, ignorance is definitely not bliss.”
To access more business news, visit NJB News Now.
Related Articles: