The email looked legit, so an employee at a small Michigan manufacturer opened it and clicked on an attachment.
That was a bad move. The email contained a ransomware attack by a hacker that quickly downloaded and installed a malicious software that encrypted the company’s servers and data, then demanded payment to release it.
“They were essentially shut down, couldn’t function,” said Jessica Dore, a leader in the technology solutions group for CPA and consulting firm Rehmann LLC.
The client had backed up a majority of its data, so staffers at Rehmann were able to recover and reinstall the data, although it took four days to rebuild the system and get the company back operating, Dore said.
The story involving the Rehmann client illustrates the kind of constant and evolving threats businesses face today from increasingly sophisticated hackers and scammers who many times are part of well-organized, well-run criminal enterprises.
Phishing attacks have grown substantially in the last two years, Dore said. As well, hackers today are far better at disguising phishing attacks so they’re not as easily spotted as they once were, and victims often mistake phishing emails as legitimate, she said.
“We’ve had a number of organizations get hit with those,” she said. “Hackers are getting more and more sophisticated. Back 10 years ago, you could easily spot a phishing email because there were a lot of grammar and spelling mistakes and things like that.
“Today, they can hire translation services on the web to make sure phishing emails are proofread before they go out, and with everybody in their normal day-to-day rush, people don’t pay attention and they click on something they shouldn’t.”
Dore and other experts say that amid growing cyber threats, companies need to remain vigilant in protecting themselves. They should regularly update and patch their software, strengthen and routinely update employee passwords, add layers of authentication for system login, train staff about new and emerging threats, back up their data, and plan and prepare for how they’ll respond to an inevitable attack.
“It’s not a situation of protecting yourself for if it happens. It’s when it happens,” said Amanda Regnerus, executive vice president of products and services at Grand Rapids-based data services provider US Signal Co. LLC. “Everybody needs to make sure they’re protected and are protecting themselves because, as you see, the statistics are not going down.”
Targeting small business
Phishing attacks can lead to hackers stealing sensitive company and customer data or intellectual property, or rerouting money such as payroll funds, said Trevor Bidle, vice president of information security at US Signal.
One of the biggest forms of phishing comes via hackers trying to steal login credentials, Bidle said. If successful, “then they can turn around, dive through your email and expand and attack other people, or use the information in your email.”
“We’ve seen it where they’ll steal information out of people’s email and use it to conduct payroll attacks, changing where your paycheck goes,” he said. “For small businesses, that can be very harmful. They can also change where payments from customers come from or go to.”
One of the biggest mistakes small businesses make these days is to presume they are not vulnerable, Bidle said.
A tendency persists among some small business owners who think that hackers won’t target them because of their size, Bidle said, noting the opposite is true.
Many small businesses lack the I.T. staff and resources needed to protect themselves, or simply can’t or don’t want to spend the money for the protection, leaving the company more vulnerable, Bidle said. Hackers also tend to view small businesses as being more apt to pay the ransom in a ransomware attack, Bidle added.
“Especially from a ransomware perspective, small business is a great target because a lot of times those businesses don’t have the backups or the business continuity plan to stay in business, so they have to pay the ransom,” he said. “Unfortunately, paying the ransom fuels the attackers, but in the small business realm, sometimes it’s the only way you can keep your business going.”
The first line of defense for businesses is awareness and training employees on existing and emerging threats, experts say.
Even if a company has the latest software patches installed and security systems in place, regular staff training on threats can prove beneficial, said attorney Jennifer Puplava, who chairs the computer systems and technology committee at Mika Meyers PLC in Grand Rapids.
“Yes, your technology is in place, but education is the answer in all businesses. If you’re a business of more than one, you need to make sure that everyone in your business understands that this is a risk and understands how to identify potential threats and avoid them,” Puplava said. “And you can only do that by education, and that means you have to talk about it.”
Employee training on cybersecurity is increasingly available through business groups and I.T. vendors. Experts also suggest that companies have a third-party assessment done on their vulnerability.
Properly trained staff can identify a phishing attempt that even technology or software cannot, Bidle said.
For example, an employee may notice the language in an email or the signoff at the end doesn’t mesh with how an executive writes, or it uses words they wouldn’t use or makes an unusual request, Bidle said. An employee also may notice a misspelled name within the email.
“Humans can spot anomalies that machines can’t,” Bidle said. “This is a risk you have to recognize and encourage and train your employees to always have a suspicious eye or a curious eye through your email and protect your data.”
Bidle cites a case at US Signal in which an attacker tried to impersonate an executive. The giveaways that the email was a fake included that it requested something “that was out of sorts” and how it was signed, he said.
“Everyone knows how he signs his email and it didn’t fit the pattern,” Bidle said. “For all of the machine-learning and A.I. that is out there, humans still tend to be the best at looking at something and going, ‘Does this fit?’”
In a majority of the cases in which Rehmann conducts an incident review following a cyber attack on a client, it finds a lack of training that could have made a difference, Dore said.
While training takes time and costs money, it improves chances of preventing or minimizing an attack and is better than reacting after an incident occurs, she said.
“What we see is that organizations are not doing that regular training. They’re not educating employees on those threats that are out there and the employees fall victim to them, and then it essentially goes from there,” Dore said. “If you’re not training them on a regular basis, how are they going to know how best to protect the organization?”
Sometimes a post-mortem conducted on a cyber attack also shows a company was not regularly updating and patching its software. Some organizations “have a really terrible patch management program, so they’re not keeping their systems up to date,” Dore said.
“That’s basic blocking and tackling in the I.T. world, keeping those systems up to date,” she said.
At US Signal, Bidle said, “almost every incident we work on, you find something that could have been done better.”
Putting needed protections in place and preparing for an attack can mitigate losses and disruption, he said.
US Signal has worked on incidents in which a client that was prepared was able to recover data in as little as 15 minutes. In other situations where a company didn’t have a full response plan, “it’s taken us two weeks to get them back up,” he said. “And then there’s other customers that lost substantial chunks of data because they didn’t really have stuff backed up that they should have.”
Another basic defense is multi-factor authentication that requires two pieces of data to log into a system.
Employees may not like multi-factor authentication at first, but they soon get used to it, and it’s an effective defense, Puplava said.
“At the beginning, it’s disruptive because you’re putting something new into your routine, but after a while, it just becomes part of your daily routine. It becomes something you don’t think about going through all of the steps making sure you’re secure,” she said. “All of the security measures in the world won’t help you if you’re not actually using them.”
Cyber threats and the significant risks they pose to companies have grown to the point where owners and senior leadership must make cybersecurity a top strategic priority, according to Bidle. Given the prevalence and sophistication of cyber attacks today, executive leaders of companies large and small need to know how to protect their businesses, he said.
“It’s no longer a bottom-up approach. This is top down. Ownership, boards, anyone that has responsibility for management needs to understand what their company is doing,” he said. “It can’t just be delegated to an individual team member.”
That heightened attention to cybersecurity should go externally as well.
In the age of online procurement, companies of any size should look across their supply chain and know what vendors do, Dore said. She recalls how the massive data breach at Target Corp. in 2013 that affected 41 million consumers originated when a third-party vendor had its credentials stolen.
“They’re able to get into the vendors, then they can hop over to their clients’ networks as well,” Dore said. “Organizations have to do proper due diligence. Whenever they allow other organizations to be connecting to their environment, they need to make sure they have controls in place.”