Articles & E-Books

 

Investing in cybersecurity pays dividends

May 11, 2020

Rising cybercrime is proving costly for unprepared companies. Without strengthened cybersecurity, they may even risk being pushed out of business by a major attack.

Despite increasingly sophisticated phishing, malware and ransomware events, not enough small and medium-sized companies invest sufficiently to insulate themselves against cybercrime.

Strengthening IT systems, bolstering user verification, using complex passwords and efficiently patching homeworkers’ computers are crucial to helping gain protection from hackers scouring for credit card, health, personnel or client records. Hardening systems can also help shield against industrial espionage attacks that could be orchestrated by corporate rivals looking to steal sensitive data about pipeline products or research.

As authorities warn of a potential rise in cybercrime during the COVID-19 pandemic, companies need to be increasingly on alert and increase cybersecurity to reduce the risk of attack.

Here’s what firms need to know about cybercrime and data loss.

Reduce cybercrime with multifactor authentication

Getting unauthorized access to systems is often relatively simple for hackers, particularly if companies have not taken enough precautions to protect their systems and information, with features like multifactor authentication.

Any company that still uses simple username and password authentication for its virtual private networks (VPNs) is vulnerable to hackers, who find it harder to crack two-step authentication methods, such as passwords combined with timed access codes generated by mobile phone apps. Too often employees use obvious and overly simple passwords, which are easily cracked by the automated “password sprays” that many hackers use.

If they hit the jackpot with a correct VPN password and username combination, hackers can easily gain unauthorized access and worm their way into a company’s systems. Once inside, hackers can comb through easily accessible data. If they can figure out how to gain administrative access to a server, they can elevate their privileges to allow them to tap into more sensitive information.

Multi-factor authentication uses data that is unique the user and extremely difficult for hackers to fake, such as biometric identification, such as fingerprints, or codes delivered to pre-approved devices.

Protect personal data

Many hackers are on the hunt for information such as personal and financial data they can easily sell on the dark web.

Credit card numbers accompanied by data contained on the magnetic strip can be sold to criminals looking to create physical cards. If hackers can also steal billing addresses, the combined information can be used to make unauthorized purchases online. U.S. credit card details may sell for as little as $10-$15 a pop. But if a company has sloppily stored thousands of customer payment details on its systems, it can prove a profitable discovery.

Health records, which contain all the information needed to steal someone’s identity, are a more lucrative find and can sell for hundreds of dollars each on the dark web. While health insurers, hospitals and clinics are often targeted by hackers looking to steal these records, cyber criminals may target vendors who store some of this data.

It is important to protect personal data, because once they have the information, criminals can impersonate their unsuspecting victims and then apply for new credit cards or loans under their names. Cyber criminals often use health records in particularly heinous attacks targeted at defrauding sick, elderly patients.

Avoid industrial espionage

Industrial espionage, whether authorized by rival companies or overseas governments, is a growing threat. And for a company, theft of its intellectual property can prove potentially devastating.

Hackers are often contracted to steal commercially sensitive product or research material that may allow them to copy innovative designs and technologies, even beating their developer in the race to market. They may also be looking for sensitive information about a company’s key customers, suppliers, price lists or contract terms, which could then be exploited.

And it’s not just huge corporations that are likely to be the victims of industrial espionage. The ease of finding and paying a hacker via dark web marketplaces also raises the possibility of smaller firms being hacked by their local rivals.

Prevent a ransomware threat

Many hackers are looking for data they can easily monetize, but with a ransomware threat, attackers don’t care about selling information. They simply rely on a panicked company paying to keep hold of its own vital data.

Despite the runaway increase in ransomware events, many companies are still not sufficiently backing up or isolating their essential data, leaving themselves wide open to attack. It’s a nightmarish scenario for companies to find their systems locked down or files encrypted until they pay a ransom to have access restored.

Ransom amounts are rising, sometimes stretching to millions of dollars payable in cryptocurrency, and companies are often given just a few days to come up with the payment before the price increases. If companies can’t pay by the deadline, they lose access to all of their corporate information, which, in a worst-case scenario, could mean the end for a company.

Even if businesses decide they have no option but to pay, they may face the additional challenge of how to transfer the money. It takes a couple of days to set up and fund a cryptocurrency account in the United States, so having a dormant account that can be used in emergencies brought on by a ransomware threat is increasingly important for companies.

Cybersecurity provides protection from hackers

Third-party IT specialists can help companies strengthen the cybersecurity around their business systems if they don’t have the technical knowledge in-house. Educating staff on simple measures such as password hygiene can also bolster security.

Companies that have survived a hack understand that investing in cybersecurity is an essential way to ensure their businesses can reduce risks and avoid potentially costly attacks in future.

For firms that think cybersecurity is an additional cost they can do without, it’s time to rethink whether they can afford to skimp on protection from hackers when the risks are so high. Need help? Contact your Wipfli advisor for assistance.

Author(s)

Tom Wojcinski
Tom Wojcinski, CISA, CRISC
Director
View Profile

Working remotely webinar | Register now