Understanding the threat of cybercrime against your business.
Business leaders clearly understand that many risks exist that may threaten the success of their business. Things like physical theft, lawsuits from customers or employees, damage from weather-related events, and a host of other things can cost money or damage your reputation.
But what about cybercrime? Is cybercrime a business risk that concerns you? The more I study cybercrime events, the more I am convinced cybercrime is the greatest threat to your business today.
Who is behind cybercrime?
There are many organizations and individuals who commit cybercrime. However, it is not likely some nerd wearing a hoodie, working from his parents’ basement. That image is a cliche that has been presented in movies and TV shows for years. It does not represent the reality of the “actors” responsible for most of today’s successful cyber attacks.
There are many well-organized groups and individuals who are active cybercriminals. These groups could be organized crime, nation-states, hacktivists, or others. What is important to understand is that stealing money is the motive for the majority of cybercrimes. Simply having a business in the U.S. gives the perception of wealth and makes you a target for cybercrime.
Technology resources for cybercrime are plentiful.
I recently read this article on Forbes.com that described a specific cybercriminal in Nigeria. I found that ironic and somewhat humorous at first because of all the old-school phishing emails that claim to come from a Nigerian prince. However, after reading it, I gained a greater understanding of how easy it is to be a successful cybercriminal.
The article explains how this lifestyle can evolve from buying stolen credit cards in an attempt making online purchases, to a life of much larger and more lucrative schemes. There is a massive marketplace peddling the tools needed to conduct cyber attacks. Anyone could hire highly skilled developers to create exactly the software, malware, or app that meets the needs of a cyber-criminal.
People like this don’t know you or care about your business. They are simply seeking their next victim and next payday. Cybercriminals use a variety of strategies to manipulate innocent people into allowing them to carry out their crimes. They are much more dangerous than a thief or a vandal trying to break into your business because they can act anonymously. The likelihood of them being caught and punished is much lower than those committing “traditional” crimes.
What could a business lose?
Our company works with many companies in many different industries. Some of these businesses are held to specific security standards because they operate in “at-risk” industries like finance or healthcare. It seems that those businesses that are not in these categories are the ones that most often suffer losses from cybercrime.
Cybercriminal activities can include common schemes like Ransomware and Business Email Compromise (also known as CEO Fraud). Ransomware is relatively simple to understand. Opening an infected email attachment or clicking on a link that leads to a website spreading malicious code is often how it infects the victim’s computer. Ransomware renders systems unusable by encrypting every file the infected user can access. A ransom demand follows in exchange for the key to decrypt the data.
In many cases, an unprepared business has no choice but to pay the ransom to recover the information that is critical to their operation. The ransom demand can be thousands of dollars and in many cases paying it is the best option. While the FBI discourages anyone from paying the ransom, it often costs less than recovering from an attack. For instance, the city of Atlanta, Georgia spent $17 million to recover from a ransomware attack that included a ransom demand of $52 thousand. The largest ransom paid was reportedly $930 thousand.
What is CEO Fraud or business email compromise?
CEO Fraud, often called Business Email Compromise, is when a high-ranking company official has their email hi-jacked. The criminal can then act as the “boss” and request certain actions of people who report to them. The crook can end up having large sums of money deposited into their account if money transfers are common in the business. This strategy can be very effective when a business relies on email to initiate financial transactions.
I am personally aware of a couple of cases where a business transferred large sums of money ($30K in one case and $200K in another) to the account of a cyber-criminal. According to the FBI’s Internet Cyber Crime Report of 2019, losses to business email compromise were $3.5 billion in 2019. This is a rapidly growing threat that every business needs to be concerned about. You can find the full FBI report here.
This strategy is so effective because it uses the email account of a high-ranking company official to instigate the act. The unsuspecting employee believes they are receiving instructions from their superior.
How do I defend my business against cybercrime?
It is critical to determine where you stand in terms of protecting your business against cybercrime. You need to establish a baseline and determine how you can improve from there. Hire a professional, third-party company to assess your current IT security stance.
You will be able to begin setting targets for improving your security. Some of these measures will cost money and others will simply take time. A large part of this process can be related to the established policies and procedures of your business. It is dangerous to rely on tribal knowledge when it comes to questions like “what do we do if we experience a ransomware attack?” Having defined processes and clearly communicated policies will help develop a security-conscious culture in your business. Check out an earlier blog I wrote about this topic here.
Ultimately, recognizing the severity of the threat of cybercrime is the first step to becoming better protected. Businesses simply cannot ignore it any longer and those that do will eventually suffer a loss.
RSPN offers risk assessments, security consulting, and managed IT services designed to address many of these growing needs for businesses. Contact us today to learn more about how can help protect your business.