Fighting an unrelenting war – how business can be safe from cyberattack
Defending against an online onslaught is becoming an increasingly onerous and expensive undertaking for business. Experts at Baker Tilly detail how organisations can best defend themselves against the unrelenting threat of cyberattack.
It’s a seemingly innocent story that plays out at businesses around the world every single day – an employee receives an email they think is coming from their manager and they act on the instructions within.
Those instructions could be as simple as clicking a link or replying to the email, and often request typical tasks that employees may undertake as they go about their jobs.
But by following those instructions, that employee has unwittingly opened the door for a cyberattack.
And it could be extremely costly.
In the United States alone, the Federal Bureau of Investigation reported losses incurred due to cyber scams including extortion, identity theft and data breaches rose to $US6.9 billion in 2021 – a 64% increase on the previous year.
For individual organisations, the cost of a data breach averages around $US5.4 million, according to research by cybersecurity specialists Imperva.
At the same time, the rate of attack has been continuously escalating.
“There are so many easy targets out there, so if you have the right security, most cybercriminals will bounce off and move to an easier target.” – Robert Rudloff
Research by Check Point showed that by the end of last year, attempted cyberattacks on businesses worldwide were up to 925 per week, a 50% increase compared to 2020.
Denver-based cybersecurity expert Robert Rudloff, a Partner at RubinBrown, part of the Baker Tilly International Network, says all businesses are vulnerable, no matter the industry they operate in, nor size of their organisation.
“Cybersecurity has to be a high priority for any business, because you don’t want to be an easy target,” Mr Rudloff says.
“You have to make sure that you’re not the easiest target, or the low-hanging fruit, so to speak.
“There are so many easy targets out there, so if you have the right security, most cybercriminals will bounce off and move to an easier target rather than putting in a lot of effort.”
Cyberattacks have risen swiftly to all-time highs, ramping up particularly strongly following Russia’s invasion of Ukraine in February.
With many distracted by the escalating conflict, cybersecurity executives including Crowdstrike CEO George Kurtz said hackers were taking advantage of the situation, launching a wider range of attacks, many of which have been successful.
While there are multiple threats to business from hackers, the easiest way in has proven to be email.
In 2021, the FBI received nearly 20,000 complaints from US businesses regarding email scams, with those organisations saying they’d collectively lost just under $US2.4 billion.
Known as phishing, email attacks usually consist of sending emails purporting to be from reputable companies or individuals designed to retrieve valuable information, such as login credentials or credit card details.
But even as more companies become aware of their vulnerabilities, the problem for employers is the methods of hackers are becoming increasingly believable and complex.
Jeff Krull, who leads Baker Tilly’s cybersecurity services in the US, says email attacks have come a long way from the almost comical emails from ‘African princes’ looking for a benefactor to receive millions of dollars that were so prevalent in the late 1990s and early 2000s.
“Criminals have made a lot of money over the past two or three years,” Mr Krull says.
“They were successful in a lot of the wire transfer fraud schemes and ransomware attacks that they launched, so they are well funded.
“And well funded criminals means they are getting more sophisticated, and the homework before the attacks has gone up to the point where they can take their time to really make it a little more targeted.
“Around 15 years ago, it was more of a roughshod approach.
“Now the approach is ‘there is a company I want to target, I think they have cash or maybe they have security weaknesses, or maybe they have IP I could steal’.
“They’re playing a little bit more of the long game and doing inside research to be better informed when they send an attack.”
Mr Krull says part of that long game involves unscrupulous individuals trawling social media sites, particularly LinkedIn, for information around companies or employees to make them seem credible.
The end game, he says, is to gain an entry to an organisation’s network.
“Once you can get into the network, that’s when they can start looking around,” Mr Krull says.
“Now that they’re inside the network, they can look at everything connected to the network to try and exploit.
“What you see more and more is they will get into a network and exfiltrate as much as they can, they will steal your data, and then they go and lock your data.
“They will then demand a ransom, usually in some form of cryptocurrency, and even if you have good backups and can restore your data, they will threaten to start leaking it on the dark web unless you pay.”
RubinBrown’s Mr Rudloff says hackers are also increasingly aware of the opportunities available by honing in on specific industry groups or employees.
Check Point’s research found the education/research sector was most targeted in 2021, averaging 1,605 attacks per organisation every week. That was followed by the government/military sector at 1,136 attacks/week and the communications industry, at 1,070 attacks/week.
Mr Krull says hackers will also tailor cyberattacks by industry type.
“Ransomware targets tend to target healthcare more often than anywhere else, because in the healthcare system, if their computers don’t work, people could die, so healthcare is far more likely to pay the ransom quickly,” Mr Rudloff says.
“A similar case is critical infrastructure – if hackers go after infrastructure it is far more likely the ransom will be paid.”
Rethinking risk management
Part of the reason cyberattacks continue to rise is many organisations do not consider them to be one of their top risks.
A recent study by business services listings agency UpCity showed just half of the small businesses they surveyed had a cybersecurity plan in place, and while 30% say they plan to initiate one, 20% remain vulnerable to attack.
The study also showed just 42% of respondents had revised their cybersecurity plans since the onset of the pandemic, while a shift to employee-owned devices created more entry points into an organisation’s network infrastructure.
Mr Krull says much of the complacency comes due to the fact that the majority of organisations have insurance against cyberattack in place, so they consider the financial risk to be low.
“They’re playing a little bit more of the long game and doing inside research to be better informed when they send an attack.” – Jeff Krull
But with the increased prevalence of successful attacks and subsequent deluge of claims, Mr Krull says cybersecurity insurers are starting to do more due diligence and are increasing the costs of coverage.
“Cyber insurance is getting much more expensive in a lot of cases,” Mr Krull says.
“We’re hearing some organisations may struggle to even get it because of the risk profile with the underwriters and the insurers keep pushing back the retention so organisations have to keep more of the risk.
“A company may have a $5 million policy, but the insurer will now leave them on the hook for the first $1 million.
“With all of that going on, I think there is going to be somewhat of a rethinking of risk management over the next few years.
“Organisations will start saying ‘if I’m on the hook for more of the risk, maybe I need to do more to protect myself’.
“And candidly, almost every organisation could do more – very few organisations have all the controls they should have, and in many organisations there are people who know they’re not doing everything they should be doing.”
Perhaps surprisingly, cost isn’t the biggest barrier to putting in place proper protections against cyberattack.
Mr Krull says there are instead often cultural barriers within organisations, as well as an unwillingness to take the time and effort to put the protections in place.
“A lot of organisations use applications that don’t have multi-factor authentication and they don’t have well-hardened processes for how they can provision and deprovision people, and when we bring those things up, everybody agrees they should be brought into the fold,” he says.
“But then all of a sudden the human resources department says they want to control the application so there is a cultural battle around it.
“It’s nothing to do with anybody disputing what the right answer is, from a security standpoint.
“Security people will tell you they can usually flip a switch and turn on multi-factor authentication.
“But when the end user says ‘no, we can’t do our job if you do that’, or ‘we have to go through a whole change management process to do it’, that’s when there is an issue.”
The frontlines of defence
Against the backdrop of relentless attack, it may be easy to assume that nothing can be done to prevent cybercriminals from gaining access to an organisation.
Thankfully, however, Mr Rudloff says there are several strategies businesses can put in place to mitigate the risk of cybercrime.
“There are three top things we try to get clients to focus on,” he says.
“One is security hygiene, which is making sure the IT infrastructure, especially the internet facing infrastructure, is kept up to date, or at least is close to being up to date.
“The second is security awareness training, and this aims to make sure that if your employees receive an email saying that the boss wants them to go buy gift cards or click on a link, they are at least a little sceptical and they don’t click on the first thing.
“The third area is making sure service providers and suppliers are doing something to protect their security.
“Depending on how an organisation is set up, what work they’re doing and what type of industry they’re in, risk assessment comes down to where they focus their time and energy.
“If you’re aware that a supplier that provides you with a service has had an issue, whether it was an attack or a data breach or another type of attack, you can be more aware and wary of attacks coming to you.
“If you’re not aware then it’s harder to be prepared.”
An increasingly important risk mitigation strategy, Mr Rudloff says, is to say ahead of the threats.
That starts with regular risk assessment, which he says helps organisations determine where their cybersecurity focus needs to be.
“It depends on your industry and what type of organisation you are, but for most organisations you have to have good threat intelligence and be honest with yourself on the risk,” Mr Rudloff says.
Another crucial element of tackling cyberattacks is to ensure employees are able to identify when an email they’ve been sent may not be legitimate.
“Previously, I was a chief information security officer, and I always preferred to have somebody call me and say they got an email or clicked on something because that helps you through the process and helps the organisation through the process, rather than find out a week or two later that somebody clicked on something and they didn’t tell us and now there is an infection that has to be cleaned up,” Mr Rudloff says.
“Part of organisational culture is making it OK to say ‘hey, I clicked on something I shouldn’t have’.
“The other part of it is educating folks to let them know that attacks are going on. Education doesn’t have to be hard or boring – we always recommend that you gamify it as much as you can.”