What We Learned About Cyber Security Threats in 2022
As our world continues down a path of digital transformation, cyber security threats continued to grow in 2022. Where they were once considered to be more of a danger only to larger enterprises, small businesses became increasingly targeted over the past year. As this is a topic that is constantly evolving, business owners and IT Managers must continue to stay vigilant in their security posture, and ensure their organizations are protected both in terms of personnel, and technology. Here are a few things we learned in the past year.
Cyber Threats Continue to Grow & Evolve
The threat of cyber attacks is proliferating, and cyber security has become one of the top priorities for every organization around the globe. Cyber attackers try to break into systems, steal information, send spam emails, disrupt networks, destroy data, or cause any number of other malicious actions.
While some cyber crimes are for profit, others are simply out of spite or frustration. These attacks can cause severe damage to businesses, causing them to shut down or pay hefty fines. Cyber attacks affected 53 million people in the U.S. within the first half of 2022. They not only cause financial losses but can also lead to reputational damage. The rising number of such episodes means that companies must proactively protect themselves from cybercrime.
They should start preparing to prevent or minimize the impact of such attacks by investing in cybersecurity solutions like encryption software and firewalls. A comprehensive approach to cybersecurity combines prevention, detection, response, and recovery capabilities.
What Are the Costs?
Direct and indirect costs are two primary ways a company might suffer financially from a cyberattack. While direct costs involve actual expenditures made to fix a problem, indirect costs refer to any expenses incurred due to a breach, such as loss of reputation and brand image. These costs could range anywhere from $0 to billions depending on the scope of the problem. According to IBM, the average data breach cost in 2022 is $4.35 million.
How Can I Protect My Business from Cyber Attacks?
Regardless of how much money a business loses, it’s always prudent to implement certain precautions to protect yourself against these threats. A company should conduct regular audits of its own IT infrastructure to ensure it’s patched correctly and updated regularly. Furthermore, businesses must ensure that no unauthorized users access sensitive files and data.
Companies should educate their staff about cybersecurity awareness and take steps to reduce the likelihood of human errors. Finally, organizations must keep software patches up to date and create policies to prevent employees from accessing sensitive information outside of work hours.
How To Create A Robust Cyber-Security Strategy
Protecting private information, intellectual property, brand reputation, and financial and operational data are critical to any company’s success. A robust cyber-security strategy should encompass the physical protection of network devices and infrastructure, the people who use them, and their training.
-
Understand the Risks
The first step to any security program is understanding where the threats lie. 93% of company networks are prone to cyber-attacks. Knowing your business model will help determine various things, including what attacks your company will fall victim to. Organizations should assess their systems in terms of vulnerabilities at least once a year.
The goal of the assessment should be to determine what security controls are necessary and how they can best protect against potential threats. A thorough evaluation of your systems will enable you to identify possible threats that could expose your business to loss, damage your brand reputation, or compromise your customers’ privacy.
You can hire a third party to perform standard penetration tests or invest in software solutions that monitor and detect potential threats.
-
Identify the Assets
Once you understand the scope of the problem, define who owns the systems and what they do. Companies can document the business processes and identify the people involved. Assets are anything that the organization relies on for its operation. Once identified, the organization can develop policies and procedures for controlling access to the asset. These policies and practices protect the asset from unauthorized use and abuse.
Industries dealing with sensitive information should ensure they have appropriate security measures. If your company handles any data about credit card numbers, social security numbers, patient records, and financial transactions, you should consider getting a cyber-security plan
-
Enforce the Policy
If proper security policies exist, then the final step is enforcing them. Policies can range from restricting physical access to the company building to limiting employees’ time on personal devices or checking email. There is no universal set of rules, but there are some guidelines that can help ensure compliance with existing policies. Policies should include developing three core capabilities;
- Firewalls– Provide comprehensive packet inspection capabilities that offer granular control over how traffic enters the enterprise.
- Intrusion Detection Systems (IDS)- Detect malicious code such as viruses, worms, and Trojans and alert administrators.
- Secure Web Gateways – Ensure that users’ interactions with applications are safe and secure. When properly configured, they can prevent unauthorized access to websites.
These foundational technologies make up a layered defense. In addition, use a suite of tools that monitor and report on the status of these technologies and maintain visibility of where employees interact with technology. Organizations that regularly train their employees in security awareness are less likely to suffer a breach than organizations that do not.
-
Implement a Multi-Layered Approach
There are many ways to secure your network and IT system. Many companies use the following methods:
- Physical access controls: These devices allow authorized employees to gain physical access to your network or computer systems.
- Password management: These programs manage passwords and prevent users from sharing them.
- Network access control: Network access control restricts external access to your internal networks.
- Anti-malware software: Anti-malware software detects malware before it infects your computers.
Include additional layers of protection in your operating systems, applications, and devices. Security experts recommend adding two layers of defense at a minimum; antivirus software and firewalls.
You should review and evaluate these tools and keep them up-to-date. Consider investing in endpoint and network protection products that allow granular control over user permissions, policies, and alerts.
-
Investigate the Breach
Once you identify the threat, the next step is investigating it. An investigation should involve reviewing the evidence and analyzing the incident. An organization must collect data about the incident to investigate the incident properly.
The collected information should include the nature of the breach, when it occurred, and how the attack occurred. A log management system provides centralized storage and analysis of all logs, and security analytics can help to correlate events and flag issues.
-
Respond to the Breach
After collecting the data, the organization should respond appropriately. An effective response should address the issue and provide recommendations for preventing future incidents. As part of the response, the organization should notify the affected individuals, update the employee directory, contact law enforcement, and take measures to increase security.
Your Employees Are Being Targeted Via Social Engineering
Social engineering is the second-highest cybersecurity threat in 2022, with ransomware coming in first. Every day, Google blocks more than 100 million phishing emails–and even more continue to make it through their filters. Cyberattacks have continued to rise throughout 2020 and 2021. As we move through 2022, many businesses continue to see a high degree of threats, many of which come in the form of social engineering.
Make sure your employees are prepared to deal with these key social engineering attacks in 2022.
1. SMS Phishing
Text phishing is becoming increasingly common–and unfortunately, many people are not yet fully aware of the potential implications. Text phishing, particularly to your work accounts, can take many of the same forms as other types of social engineering, including sending text messages that spoof multi-factor authentication requests or request payment from vendors that your company may work with. SMS phishing may seem more authentic due to the fact that many employees have not yet recognized the prevalence of text-based phishing scams.
Make sure that employees are used to deal with text threats as well as social engineering emails. Do not send private information, or requests for private information, through text, so that employees will know that they don’t have to worry about requests potentially coming from internal employees.
2. Spear phishing
While general phishing attacks are designed to target a wide range of users based on the information the hacker or scammer is able to gather about them, spear phishing attacks are generally designed to target specific individuals–often those at higher levels within the organization. Spear phishing attacks may aim to get login credentials or other vital information from people in positions of power throughout your organization.
Often, people at higher levels within your organization may sign off on potential requests or even hand over funds without thinking twice about it. Sometimes, spear phishing campaigns will attempt to solicit funds directly. In other cases, they may attempt to get the target’s login information or other private information so that they can log in and complete those actions on their own.
Sometimes, spear phishing will use an account pretending to be the CEO or another high-level individual in the organization to convince other employees to transfer funds, as in the FACC attack, where the business lost nearly $60 million due to a CEO fraud scam.
3. Emotional Manipulation Scams
Many scammers will use emotional manipulation to target businesses and private individuals alike. During the height of the pandemic, for example, Google blocked more than 17 million emails per day as scammers tried to play on pandemic-associated fears to convince targets to click malicious links that would ultimately lead to malware on the device.
Emotional manipulation can take a number of forms. For example, scammers might try to target people who want to donate to Ukraine, especially as war continues to rage. Many employees are still concerned with the potential impact of the pandemic on themselves and their loved ones. By manipulating those employees, scammers may be able to convince them to share private information or to click on links that might expose business devices to malware.
4. Ransomware Attacks Following Phishing
Ransomware attacks have become increasingly prevalent in the past couple of years. Ransomware locks users out of their devices and networks entirely, destroying the information left behind. Once a scammer gains credentials through phishing or spear phishing, the scammer or organization can escalate the attack, allowing them access to other corners of the network.
Increasingly, cybercriminals are using overlapping attack platforms that will provide them with access to greater levels of information.
5. Diversion Theft
Diversion theft has been around for years. Previously, scammers wild try to persuade a delivery driver or company to hand off a package at the wrong location, allowing the thief to take possession of a package intended to go somewhere else. Cyber crime has taken diversion theft to a deeper level. Now, cybercriminals can convince employees to divert funds or information to a location other than the one it was originally intended to go to. Sometimes, employees are convinced to pay invoices to the scammer, instead of to the right organization. In other cases, scammers may create invoices outright.
Preparing Your Team for Cyber Threat Awareness Involves Everyone
First, let’s touch on the best practices for any business to maintain a strong cyber-secure infrastructure.
Keep Your Systems Updated and Configured
Make sure you are working with relatively new equipment, the latest operating systems, and continually upgrade the software in your stack. Download security upgrades and check for non-automated upgrades at least once a year – October is a great time to check.
Once you have fully upgraded software, make sure your systems, programs, platforms, and firewall are fully configured with new logins and custom settings that increase your security from the default out-of-the-box performance.
Perform Routine Penetration and Vulnerability Testing
Never assume that security “just works” or has continued to work without monitoring. Penetration and vulnerability testing are two approaches to the same goal: Identifying potential gaps in your cybersecurity and closing them. Perform regular penetration and vulnerability tests, especially after making changes or updates to your stack.
Use Live and AI-Assisted Security Monitoring
Monitoring your network is the best way to detect malicious activity in action. Authorizations that don’t fit the typical pattern, activity at the wrong time or from the wrong IP address, or mysterious resource use from unnamed programs are all red flags that can be caught with human and AI network monitoring.
The Best Ways to Raise Staff-Wide Cybersecurity Awareness & Vigilance
Now, let’s get to the fun part: Cybersecurity awareness for the whole team. Companies have typically struggled to keep their staff interested, engaged, and vigilant in spite of available or mandatory cybersecurity training. Why? Because the training does not engage and relevance doesn’t extend past the classroom. The best way to celebrate October as Cybersecurity Awareness Month is to create a month of awareness activities that the whole staff can have fun with. Yes, we said fun. When cybersecurity practices become woven into rewards for vigilance, inside jokes, and routine activities, your team will defend company data effectively long after training day is over.
1) Post a Fake Phishing Email on the Dash/Bulletin Board
Give everyone a visual of what phishing looks like. Everyone knows that suspicious feeling when they get it, but not everyone has seen a few dozen examples of phishing to compare to emails that hit their inbox. Write (or find and print) one subtle but obvious-if-you-look phishing email and post it in the break room, on the bulletin board, or on your shared digital dashboard for remote and hybrid teams.
Have a good laugh, let the team talk about it. Call it the Catch of the Week and post a new Phish every Monday to check out and laugh about the scams. This will casually familiarize your team with phishing approaches that they will avoid with more savvy and group support.
2) Hold a Password Building Workshop
Most people do not know how to make and remember a good password. It’s a learned skill. Most admins probably remember when they learned and from whom, we certainly do. Become that life lesson by holding a password workshop for your teams. Teach them to make funny yet complex passwords that are as easy to remember as a one-line joke and as hard to guess as a random string of letters.
3) Create a Hacker-Report Intake System
Make sure there is an available channel for all employees to report cybersecurity matters. Whether it’s screenshots of a potential phishing email or “I think I just clicked a bad link.” Make it a safe, welcoming channel with the message that IT would rather know than not know about any possible breach, mistake, device infection, or attempt to phish employees.
4) Commission the IT Team to Perform Cybersecurity Drills
Nothing is quite as effective for staff-wide security like cybersecurity drills. Phishing avoidance, malware detection, ransomware response, and how to report it all can be taught in a way everyone will remember (for the rest of their lives) by asking the IT team to play the badguys. They typically love this role, provided other work is well-balanced.
Challenge your IT team to send fake phishing emails from new email accounts, to simulate the signs of malware on random employee devices, and to occasionally send a fake ransomware prompt. Before you release this on the staff, clearly instruct everyone on what to watch for and how to report a cybersecurity issue if the signs occur. Give cheat-sheets and post reminders. Encourage everyone to stay sharp and watch out for the spoofed hacks.
Publicly congratulate those who properly avoid and report the drills. Then throw a party for those who detect and report a real hacker. Reserve an end-of-year award for anyone whose vigilance may have saved the company.
Keep the tradition going, and your team will stay on their toes hunting for hackers, with a potential bonus of cake, trophies, and glory.
Building a strong foundation of cybersecurity starts with your infrastructure. Your hardware, software, updates, and monitoring define how safe everyone is by default. An alert, engaged, and vigilant staff forms the next layer of your defense, catching every social hacking attempt and possibly even a few instances of lurking malware. You need an IT team ready and equally dedicated to the safe operation of your business. Contact us today to learn more about how to get secure for cybersecurity awareness month.
Strengthen Your Cyber Security with Contego
Contego offers a free service that evaluates your computer security posture based on industry best practices and your organization’s objectives. We understand what’s involved in protecting your data and aim to help businesses know what they are exposed to in cyberspace and take appropriate action.
Contego’s security experts will provide you with a better understanding of your network security posture and a plan to address any gaps or weaknesses. Contact us at (866) 331-3393 to book your free cyber threat assessment.