Tips for Preventing and Surviving a Cyberattack
Home / Publications / MJSA Journal / Tips for Preventing and Surviving a Cyberattack
Play it Safe
How to safeguard your business against cybercrime
By Sharon Elaine Thompson
"It’s said that there are two kinds of businesses: those that have been hacked and those that will be.
It was probably predictable that, with so many vendors and buyers moving online in the last two years, cyberattacks would increase across all types of industries. According to a report late last year from McAfee Enterprise and FireEye, 81 percent of global organizations experienced cyber threats during the COVID-19 pandemic, with 79 percent experiencing downtime due to a cyber incident during a peak season.
Many businesses think they’re too small to be the target of cybercrime, but no business is immune from a cyberattack, whether by a lone hacker exploiting a weak system or an international crime group looking for a big score.
Many businesses think they're too small to be the target of cybercrime, but if your business sends or receives money digitally, you're especially vulnerable to being hacked.
“There is always the threat of your network being breached,” says Matt Sherman, senior vice president of reinsurance and programs in the Cyber & Professional Lines Group at Tokio Marine HCC, which partners with Jewelers Mutual Group in Neenah, Wisconsin.
And it’s not all about you. In fact, hackers most commonly work through small businesses, which are less secure, to swim upstream through weak passwords and portals to larger fish. This is how the large Home Depot attack was made in 2014—hackers used a vendor’s username and password to infiltrate the company’s network and access the payment card data of 40 million customers. In just this way, a jewelry store or manufacturer might provide an entry point to a refiner or diamond dealer. That’s why, says Sherman, when you shop for cyber insurance, the carrier will “look at a business’s partners and how they may access the company’s systems.”
You’re especially vulnerable if you send or receive money digitally. It is not uncommon for businesses to be induced to pay bills to a false account because someone is impersonating a client through altered information, says Sherman.
As you would not leave your physical location unlocked and unprotected, so you must protect your digital business. In a previous issue of MJSA Journal, we covered the kinds of attacks you might be subject to and how to protect yourself from them (“Better Safe than Sorry,” MJSA Journal, June 2020). But even if you’re prepared, you can still be hacked.
No one knows this better than Scott N. Schober, president of Berkeley Varitronics Systems Inc. in Metuchen, New Jersey, a 50-year-old privately held company that designs wireless security and cybersecurity products. (He is also the author of Cybersecurity Is Everybody’s Business and Hacked Again.) Originally the business produced wireless testing tools used to build the cellular networks that make smartphones work, but Schober began focusing on security because wireless systems are often how hackers get in.
But the more he talked about safety from hacking, he says, “the more I started getting a target on my back.” It started with repeated attacks on his personal and business debit-card accounts. Then his Twitter account and website were targeted. Finally, he had $65,000 stolen from his checking account. While he recovered the money and secured his system, the incident, he says, “was shocking and scary.”
A Cybercrime Refresher
In the jewelry industry, says Jewelers’ Security Alliance (JSA) President John Kennedy, cybercrime is primarily “cyber-enabled fraud,” where criminals use digital means such as phishing, spoofing e-mails, or social engineering to induce a company to send product to a criminal in the belief that it’s responding to a known and trusted client. Ransomware attacks happen as well. Based on a recent report, JSA is seeing an uptick in ransomware attacks.
Phishing attacks are those made via e-mails that seem to come from a friend, colleague, or family member, though they may also appear to come from your bank, lender, or a government agency. The e-mails are often spoofed—the sender’s address appears to be legitimate at first glance, but closer examination shows misspellings.
The goal of a phishing attack is to get you to click on a link in the e-mail, which then gives cybercriminals access to your computer system, personal and financial data, and passwords. Once they get into your business computer, they can access lists of clients’ and vendors’ e-mails and phish those contacts as well, possibly accessing their financial and password information.
Social engineering happens when cybercriminals impersonate customers, vendors, and even people within your business. The criminal cons targets and manipulates them into handing over cash, products, or sensitive information. In this way, jewelry businesses of all kinds have been manipulated into sending sometimes tens of thousands of dollars in diamonds or jewelry directly to criminals, says Kennedy. The jewelry industry is not alone in this. In fact, more than 95 percent of cybercrime is the result of some kind of social engineering.
Ransomware, the newest type of cyberattack, has grown dramatically during the pandemic. Ransomware is front-page news when these attacks hit large organizations, universities, municipalities, or healthcare networks. While large networks may be the targets of nation-states or criminal organizations, lone hackers can and do target smaller companies. In fact, almost half of the victims of ransomware attacks have fewer than 100 employees, says James McQuiggan, security awareness advocate for KnowBe4 in Clearwater, Florida, which specializes in security awareness training and simulated phishing testing.
Ransomware, which often starts as a phishing scam, is essentially a kidnapping of your data in exchange for a ransom, explains McQuiggan. Criminals might impersonate a vendor, notifying you of a price increase, and send a link for you to click to get more information. Even savvy internet users, aware of phishing scams, might respond. “Any e-mails that deal with money, people tend to fall for,” says McQuiggan.
Once the criminals take control, your system displays a message that your data has been encrypted, and you’ll get instructions on how to pay the ransom. “They usually give you 72 hours to pay,” says McQuiggan. In that time, you have to get and set up a cryptocurrency wallet (which can take 24 to 48 hours), and then get the ransom converted to cryptocurrency (which will take another 24 to 48 hours).
Because of the tight time frame, and because the cybercriminals know exactly how long each of these processes take, ransomware victims must stay in close communication with the criminals, says McQuiggan. They have call centers and help desks where you can chat with someone and “better customer service than some other businesses,” he says. But even so, “if you are not done in time, they’ll destroy your data.”
Phishing attacks often feature spoofed e-mails made to appear as if they're coming from friends, colleagues, and other trusted sources.
Their control of your system means the criminals know your average annual revenue: The ransom demand is usually 10 to 20 percent of that. Few businesses have this kind of cash available to them. Law enforcement may recommend you don’t pay the ransom as it only continues to fund these criminal organizations. But if you don’t pay, you not only lose your data, but the criminals can also then target anyone else in your contacts list—and tell them where they got their personal information. Your reputation and business will be destroyed.
They are, says McQuiggan, “Al Capones with keyboards.”
What are the chances that you won’t get your data back, even if you pay the ransom?
Low, says McQuiggan, because for the criminals, this is just business, and like legitimate businesses, they depend on “customers”—albeit unwilling ones—to keep funding them. The large crime networks “have a need to represent themselves correctly,” says McQuiggan. “If you paid and you didn’t get your data back, soon no one would pay, and they’d be out of business.” So most often, if you pay, they give you the key to get your data back.
Warning Signs
Small to medium-sized businesses may not have the same resources in software and staff that large organizations do to monitor e-mails or websites or run checks on the system. Even a lot of antivirus software is not infallible, as cybercriminals can now often circumvent that.
That’s why it can take up to eight months for a business to realize they’ve been hacked. The criminals quietly lurk in your system, watching your business, stealing confidential information about you and your customers, and then hacking into their systems as well. “Cybercriminals want to be quiet,” says McQuiggan. “Like thieves breaking into a jewelry store at night, they don’t want to trip an alarm or break the glass.”
There are, however, a few warning signs that your system may be under attack, says Schober.
If regular online sales suddenly dry up, that is a possible sign of a Distributed Denial of Service (DDoS) attack, “when a third party floods your website with junk traffic so that customers cannot access your website and buy your product,” explains Schober.
Beware cyberattack warning signs such as your system suddenly shutting down, running slower than normal, or doing things that you didn't initiate.
If you notice your system is running slowly, “it might be that you received malicious software in the form of a key-logger, which covertly records every keystroke you type. That can later be used to hack into your online accounts,” he says. “You need to pay attention and respond immediately.” If you think your system was accessed, disconnect it from the internet, change your passwords, and contact either your insurance company or cybersecurity provider.
If your system suddenly shuts down, is slower than normal, or acts in a way that you did not initiate, says Erich Falke, Esq., chief information security officer and cyber risk practice manager for ePlace Solutions Inc. in Fresno, California, “it could be that an attacker is using your processing power to run unauthorized processes behind the scenes.”
Problems with e-mail can also indicate an attack. Schober says they once had trouble with bounced e-mails. They discovered that fraudulent messages were being sent from an employee’s hacked e-mail account. “You have to be constantly vigilant to stop these attacks,” he says.
If anyone in your company complains that their computer seems frozen, “tell them not to touch anything,” says Schober. “Do some detective work to determine if someone could have clicked on a suspicious e-mail and initiated the download of malware or even a strain of ransomware. Ask questions,” he says. “You want to know exactly what happened before the computer froze.” This information will help your response team determine how the breach occurred.
In the event of a suspected attack, “You should immediately disconnect from the internet and change your passwords before the hacker takes over any accounts,” says Schober. If the hacker has not gotten into your computer, you want to stop them. If they have gotten in, you want to contain the damage. Do not automatically plug in your back-up until you are very sure it hasn’t been compromised, he says, something your cybersecurity support will help you determine.
Checking the activity logs in your system for unauthorized accounts, suspicious activity, or new files is another way to discover if your system has been hacked.
If you have any of the above irregularities that you can’t explain, the very first thing you should do is contact your insurer or a cybersecurity expert. While you can contact local law enforcement so the breach goes on record, cyber experts say that law enforcement generally doesn’t get involved unless large organizations such as a university or healthcare system are affected. Given the rising number of cyberattacks, police simply don’t have the resources to investigate every incident.
Get Covered
According to cybercrime experts, the single most important thing you can do to protect your business in the event of a cyberattack is to get cybercrime insurance coverage. Policies can cover losses from impersonation crime, spoofed e-mails, redirected money or product, and ransomware. It can also cover lawsuits by customers whose personal information has been exposed, the expense of hiring a forensic expert to assess what happened, and possibly some of the remediation work to get your system back up and secure. Like all insurance, explains Sherman, cyber coverage is different for each business. “It always depends on the claim and the circumstances and the policy.”
“The common factor in determining how much coverage to have is the business revenue,” says Nick Pottebaum, vice president of reinsurance and programs in the Cyber & Professional Lines Group at Tokio Marine HCC. “A larger company is going to get a larger ransom demand. We’re also dealing with more interactions, more touch points for a hacker to infiltrate.”
Most small to medium-sized businesses do not have the skills or the experience to deal with modern cybercrime. When faced with an attack, they need professional help to contain and repair the damage, clean up their systems, and secure it to prevent future attacks.
A cybercrime insurance policy can cover losses resulting from a cyberattack as well as cover some of the remediation work to get your system back up and running.
“One of the primary reasons to get cyber insurance today is to have immediate access to legal and forensic breach professionals,” in the event of an attack, says Falke. “Within a couple of hours, the cavalry comes in.” You won’t be left in a panic trying to find a reputable, affordable cybersecurity service that may or may not be the best fit for your business. “The insurance company will have vetted those professionals to be sure they are the best and most knowledgeable for helping your business recover.”
They will help you with the ransom process or help you safely vet and clean up your system if malware has been installed. Using the carrier’s pre-breach services, you can also establish new protocols to significantly reduce the risk of another cyberattack.
An insurer can help you meet your legal obligations, says Falke, an attorney who has acted as a breach coach. “There are specialized attorneys that solely focus on helping companies recover from an attack,” he explains. “Every state has different notification laws that say if you hold sensitive personal information and it is compromised, you have an obligation to notify those people so they can take steps to protect themselves.” You must meet those obligations or put yourself at legal risk.
Business computer systems are awash in sensitive information. Even if you don’t keep credit card information in your system, think of the other personal data about you, your employees, your customers, and your vendors that you might hold: birth and anniversary dates; names of family members or vendor contact names; addresses, phone numbers, and
e-mail addresses; sales records; appraisals and repair records; employee pay records and social security numbers; and purchase orders. The list is endless. Any of this information can put you, your employees, your customers, or your business partners at risk in the event of a breach.
Getting cyber insurance is an additional expense, but for companies ramping up their online presence, it’s vital. Before bemoaning the added cost of cyber insurance, remember that 40 percent of small businesses don’t recover at all from a cyberattack and are out of business within a year due to financial losses, reputational losses, or both.
What kinds of businesses should have cyber insurance? “Everybody should have it,” says Pottebaum.
If you have an e-mail address, you have an entry point into your system. If you do business with other companies via e-mail or wire transfer, you have an entry point into your business. If you’ve received a “phishing” e-mail that you’ve recognized and deleted, you need cyber insurance in case you don’t recognize the next one. If you use the internet at all for your business—and virtually everyone does now—you should consider cyber insurance another cost of doing business.
An Ounce of Prevention
A business’s digital presence increases in complexity every day. In order to reduce your risk of cybercrime, you may need to hire a company specializing in vulnerability and penetration or phishing testing to determine your weaknesses. “Most companies don’t know their own vulnerabilities. I didn’t know what my company’s were, and we are in the security business,” says Schober.
A good investment might be to hire a cybersecurity firm and have them check your system to be sure your hardware, firewall, and router are up to date and all patches are in place before an attack occurs. These “white hat hackers” might try to break into your system the same way a cybercriminal might, something they can often do frighteningly quickly, and then advise you how to plug those holes.
They may offer training for you and your employees and do periodic phishing tests to ensure everyone in your business stays alert.
This kind of security check should be done on a regular basis, says McQuiggan. “You hire a furnace company to check your HVAC system once a year. This is the same thing.”
It’s important to shop for a cybersecurity expert before you need one. Many are geared to deal with large breaches in large organizations, though a growing number are specializing in small to medium-sized businesses. Because you will be giving these companies access to your computer system, you want to be sure they are reputable, dependable, and the best fit for your business.
To find a reputable firm, ask other small businesses about whom they work with. Ask not only other jewelers, but also accountants, lawyers, realtors, your local credit union or bank—any business that needs to secure personal and sensitive information and that has the same size staff or needs that you do.
Cybersecurity firms can check that your system is up to date as well as identify and plug any holes in it that cybercriminals could use to get into your system.
Then talk to the cybersecurity firm. Find out what services they offer before and after an attack, what their success rate is in preventing attacks, and what the recovery time would be from an attack. Ask what kinds of protection are best for your size business, how long it takes to get protected, whether you have what you need already in your system, and, if not, what upgrades you need. What kind of cyberattack detection can they provide, and can they help in the event of a ransomware attack? How much of the company’s information will they need to access? They may have to work with your e-mails, but can they read them?
Ask for referrals and then follow up on the referrals.
If you hire a cybersecurity firm, and they give you advice, follow the advice. In his book A Data-Driven Computer Security Defense, Roger A. Grimes writes that he’s often befuddled by clients who hire him, pay him, and then don’t make the changes he advises.
Having a company that you have at least interviewed—before an attack happens—is invaluable. In the event of an attack, you will know whom to call immediately, especially if you don’t have cyber insurance.
But even if you do retain the services of a cybersecurity firm and invest in cyber insurance, there is still more you need to do to protect the integrity of your digital system.
Use strong passwords.
By now you know the drill—use a mix of upper- and lowercase letters, numbers, and symbols, and don’t use birthdays, anniversaries, or family, friend, or pet names. This is exactly the kind of information that hackers mine for on social media and blogs to figure out passwords, and they have several software programs that can break those passwords in no time. Passwords should be 12 to 15 characters or longer. “Make the password long and it will naturally become stronger,” says Schober. “If you can’t remember it, it’s probably a good password.” Then secure it. You can use a password locker or manager (though those can be hacked) to store your passwords. You could also do what Schober does and put your most sensitive passwords in a black book and keep it where you can secure it and still have access to it, such as in a locked drawer in a vault that only you have access to. Be sure to change your passwords every few months.
Use multifactor authentication wherever possible,
especially on all remote access accounts, e-mail, and any privileged accounts, such as the admin accounts, says Falke. This is usually done by having the system automatically generate codes sent via e-mail or SMS that would then need to be entered before the system can be accessed.
Strong employee cybersecurity training is crucial. “Some research says up to 90 percent of all hacks are due to human error,” says Falke. “A larger portion of those come through phishing. You need to train employees to be constantly aware and to stay alert, and to report it immediately if there is any kind of suspicious attachment or link. All e-mails with a link or attachment should be verified as legitimate before proceeding.”
Have secure backups.
“Make sure that one set of backups is offline or segregated from the operating environment,” says Falke. “The first thing cybercriminals do is look for backups and destroy them.”
A disconnected backup can save you a lot of time and money. In the case of a ransomware attack, if your backup is secure, says Pottebaum, you might be able to “scrap your system and use your secure backups and not pay the ransom.” You’ll only lose whatever was stored since your last backup. Ideally, you should be backing up your system at the close of every business day. When determining how often to back up your system, think about how much data you would be open to losing should a breach occur—a day’s worth, a week’s, a month’s?
Update and patch your software.
Everyone hates this job. It takes time. It can require a system shutdown, and it often gets pushed to the end of the to-do list. But most software has vulnerabilities, and the developers release security updates and patches regularly.
“Make sure you apply the updates” in a timely way, says Falke. “Make sure that the patch management program in your company is strong.”
“Be sure the hardware, or firewall, and router are all up to date, that there are no weaknesses, and that [everything is] patched,” says McQuiggan. After all, “if someone throws a rock through your window, you don’t leave the hole. You patch it up with a board and then replace the window.”
A good, next-generation antivirus program.
If you haven’t updated your antivirus software, consider doing it. The malware world has changed, explains Falke. Until a few years ago, most anti-virus programs were designed to recognize the “signature” of different types of malware. But cybercriminals have developed malware that doesn’t have a unique signature, and older antivirus programs are blind to it. The next generation antivirus, says Falke, “has intelligent, smart capability. You deploy it, and it starts to understand and learn how the machine behaves. So, if there is a deviation in that behavior, it raises red flags that, for want of a better term, tell you your machine is acting weird.”
If you are applying for cyber insurance, you may be required to have a lot of these security measures already in place. Increasing cybercrime means increasing loss claims, so to protect themselves, insurance companies are requiring that businesses meet more stringent protection standards. They need to “ascertain the probability of an event and how bad it could potentially be,” says Pottebaum.
When it comes to larger companies that have more ways for a hacker to infilrate (and that might be a target for large ransom demands), in addition to focusing on the above precautons the insurer will “ask about accessibility to the network, how the log-in works,” adds Sherman. “Two-factor authentication makes credential mining more difficult—if you just have usernames and passwords, it’s fairly easy for hackers to figure out how to get in.”
Whatever you do, if you think you’ve been hacked, don’t try to fix it yourself. Instead, disconnect from the internet, connect via another device to change your passwords for all your sensitive sites, and get help, either from your insurer or from a cybersecurity firm—preferably one you have researched and established a relationship with.
“If you aren’t proficient in cyber forensics and breach forensics, this is an area you don’t want to play in,” says Falke. “Cyber criminals are super-sophisticated. If you don’t know what you are doing, you can think you’ve cleaned things up, but you haven’t. They can leave backdoors that are very difficult to detect.” Even your IT person may not have the knowledge needed to be effective, he says. “Cyber forensics is a very specialized field now requiring expertise.”
If you are hit with a cyberattack, at the least your business may be shut down for a few days while you address the worst of it. But it could ... "
https://www.mjsa.org/publications/mjsa- ... yberattack
