Experts weigh in on the best practices for combating the next wave of data breaches.
Many CEOs live in fear that their companies will suffer a data breach. That’s for good reason: In 2019 the average breach of U.S. companies cost $73,000. And the cost of the attendant reputational damage with vendors and customers can be far greater.
It’s probably no surprise, then, that in a recent Inc. survey, senior executives said their two greatest worries on a wide-ranging list of technology-related developments were having sensitive data stolen and being the victim of a ransomware attack. Some respondents know the pain firsthand – 8 percent said their company has experienced a breach within the past two years, while 12 percent say they’ve experienced one in the past five years. With that in mind, Inc. spoke with cybersecurity experts to find out the latest when it comes to company breaches.
The first thing they made clear is that the 12 percent figure is probably low, since there are likely an increasing number of breaches that companies aren’t aware of and don’t report. Something that might play into that: hackers’ new methods of choice.
More than half of all breaches last year were not performed using malware, according to a January report fromcybersecurity firm Crowdstrike. That’s important because malware often is easily detectable. Increasingly, hackers are finding ways to access your company’s network using its existing systems, like logging on with an employees’ stolen credentials, says Shawn Henry, Crowdstrike chief security officer.
“More time undetected means more success for them,” Henry says, noting that the average adversary spent 95 days in an organization’s network before being detected, up from 85 days a year ago. “It’s similar to why you go for a colonoscopy, or you go to the dermatologist to be checked for unusual marks. It’s preventive maintenance. If something is there for months or years undetected, you’re in trouble.”
Hackers can find their way into your system in a number of ways, with phishing scams being one of the most prevalent. These attacks are becoming more sophisticated, according to Joseph Steinberg, author of Cybersecurity for Dummies and a former Inc. columnist.
In some cases, a hacker might spoof the email address of an executive, send a note telling employees they’ve been laid off, and instruct them to log onto the network as soon as possible to fill out a form to receive their severance. The employees then click a link to their company’s network and, not realizing it’s actually a fake, enter their usernames and passwords. Suddenly, the hackers have a working set of login credentials – or many of them.
What’s more, now hackers are more often studying a company’s personnel and learning their manner of speaking by email before spoofing them, Steinberg says. They’ll glean personal information through the social media accounts of executives or their family members to find out, say, that they’re about to head off on vacation.
“Then they send a message to the CFO that sounds real and say, ‘I’m getting on my flight to Disneyland, so don’t bother calling me. Just take action.’ ” Suddenly, an employee is sending sensitive information – or even a wire payment – to a bad actor.
“Phishing 10 or 15 years ago was a shotgun,” Steinberg says. “I’m going to fire out hundreds of shells and hopefully some of them hit the target, whereas this is much more like a rifle. I’m trying to get this one person, but I’m hitting with a much more accurate and stronger attack.”
Shifting your mindset
Though it’s detectable once it’s in your system, malware is infiltrating more discreetly than ever before. Last year saw a trend away from the use of malware in email attachments–which many employees have learned to recognize as a red flag–and toward links instead, according to cybersecurity firm Proofpoint. “The increasing prevalence of cloud applications and storage means that we are all conditioned to click through links to view, share, and interact with a variety of content,” the company wrote in a December report.
Adversaries increasingly are using URL shorteners to make links in emails appear legitimate, the firm says. Hackers sometimes use URLs that are just one character different than the real thing, like a letter with a line under it, which is tough to spot in hyperlinked text, according to Steinberg.
The best ways to combat hackers
So how to prevent against all this? While companies need to make sure they invest in cybersecurity measures, of course, the experts offer additional tips.
1. Make sure all employees are properly trained and educated.
Have procedures in place for everything, Steinberg says. “And those procedures don’t go away just because the CEO is getting on a flight to Miami,” he says.
2. Get help from your rivals.
Share information about attacks to competitors in your industry with the hopes that they’ll do the same, Henry advises. “It’s understanding that if they targeted my transportation company this week, they’re going to target your transportation company next week,” he says. “Let’s share this intelligence with you so that you can better protect yourselves.”
3. Never think you’re immune.
Perhaps most important is understanding that your company can become a target, no matter how small or how secure, Steinberg says. “When that mindset changes from, ‘Nobody would be interested in hacking me’ to ‘I’m skeptical about everything that comes to me because I know there are criminals targeting me,’ it changes the way you react,” he says. “It changes the way you do lots of things, so that these types of attacks become a lot less likely to succeed.”
By Kevin J. Ryan