Not If, but When: How to Prevent and Mitigate Cybercrime
For any business, large or small, the question of facing a cyberattack isn’t if — it’s when. “Cybersecurity should not be an afterthought,” says Gareth Van Orman from Ivey Mechanical Company, based in Kosciusko, Mississippi. “You should build and design your systems with the thought in mind that it will be as secure as you can make it.”
Having the necessary tools for protecting electronic assets means budgeting for them. Just as technology changes rapidly, so do cybercrime schemes, and out-of-date hardware and software become more vulnerable with time. Have a dedicated tech budget to regularly upgrade hardware and software. A large system upgrade can be an intimidating cost to a small business, but so is a security breach, says John Nedoba, president of Boelcke Heating & Air Condition, based in Stevensville, Michigan.
“There are two major things that are associated with keeping a company safe,” says Luther Burrell, vice president of administration and information technology at Ivey Mechanical Company. “Number one is to absolutely have some type of security software in place, and not just a single solution. If indeed you do get breached, the second most important piece of that is to be backed up offline where you can recover.”
Multi-solution security has layers, such as a firewall for the overall system, security software on individual pieces of hardware, and email monitoring. The more complex and layered the security, the harder it will be for a cybercriminal to find a weak point. A system that is difficult enough to penetrate can dissuade a criminal, who might move on to an easier target.
After Boelcke Heating & Air Conditioning had been hacked, the company moved to a more secure cloud-based system instead of a server-based system, says Nedoba.
Service teams are entrusted with sensitive customer data, including credit card information. Gone are the days of conducting transactions on paper. Boelcke Heating & Air Conditioning uses company-owned devices, each dedicated to a service truck, for all customer transactions. This ensures customer data is stored and encrypted directly in the company’s system.
Ideally, there should be more than one backup, including an off-site backup. A company can quickly access information backed up off-site in the event of a security breach — especially if a cybercriminal attempts to hold company information ransom or deletes it entirely.
Someone needs to pay attention to the state of the company’s technology and cybersecurity. Smaller companies who can’t afford to have a dedicated staff IT person can outsource this to a trusted vendor, who can perform routine system maintenance, monitor the firewall, and advise when it’s time to upgrade. Larger companies will need to have dedicated IT staff. While companies of all sizes are at risk, the larger a company grows, the bigger a target it becomes, says Van Orman.
Staff play an important role in protecting the company. While it’s important to include cybersecurity in employee training and onboarding processes, it’s a mistake to take a one-and-done approach. Cybersecurity should be a day-to-day part of workplace culture and operations.
Regularly bring up cybersecurity topics, questions, and reminders, such as at all-staff meetings, when systems are being updated, or when small issues come up. If everyone in the company is thinking about cybersecurity on a day-to-day basis, the business is less likely to become vulnerable through passivity.
Drills for cyber risks keep staff on alert. For example, send out an unannounced mock phishing email to staff. Do a walk-through and ask employees to turn over their keyboards or open drawers, two places where people will often try to hide a written-down password. Alert staff to threats, such as someone receiving a suspicious email.
In a July 27, 2022, article in InformationWeek, Jessica Davis reported that while insider threats are a small number of all cyberattacks, of those, the highest percentages of insider threats come from ex-employees. A disgruntled or former employee has the potential to wreak havoc with a company’s system and information or share confidential or proprietary information out of revenge. Limit access to sensitive data to only the necessary staff members, and discourage password sharing among staff. Cybersecurity should also be part of the protocol for employee termination or resignation, such as changing passwords.
Email Phishing and Password Protection
In 2020, the FBI reported that “between January 2014 and October 2019, the Internet Crime Complaint Center received complaints totaling more than $2.1 billion in actual losses from Business Email Compromise scams using two popular cloud-based email services.”
Phishing schemes — when a cybercriminal uses websites or emails that seem legitimate and reputable but are actually designed to collect personal or business information to steal money or an identity — are getting more sophisticated. A single letter in an email address can be the only difference between a legitimate address and a predatory one.
Small businesses in which the owner is more directly involved with day-to-day operations may need to be more vigilant about email phishing schemes. In larger companies, anyone regularly working with executive-level staff or outside vendors needs to be on the lookout.
The best way to catch a fake email is to pay attention and double check. Does anything seem off? Is the logo not quite right? Does the signature not quite follow standard format? Does the request seem unusual?
Then, verify with who the message appears to be coming from. It’s good practice to build verification into the workflow for some requests or processes, such as those involving money or customer information. Certain requests may be handled in person only, for example. Standardizing procedures also makes it easier to notice and flag any variations from those procedures as suspicious.
Even if the company has strong security in place, if employees access personal accounts on company devices, a phisher may use that as the entry point into the system. Someone who is more vigilant at work may let down their guard in their personal interactions. Additionally, all business should be handled within the company’s email system.
Along with email, passwords can be an obvious weak point for companies from a cybercriminal’s perspective. Many people know the basics of password security, such as not writing them down, using complex passwords, and not reusing passwords for more than one login, but these basics need to be put into practice. Along with employee turnover, passwords should be changed regularly, and any program or device that has the option for multi-factor authentication should use it.
For smaller companies that cannot afford a sophisticated security system, safeguarding email and passwords may be their most important defense, especially if an owner is involved in day-to-day operations and can be easily impersonated online.
Recovering from a cybercrime is expensive, and having an insurance policy can mitigate some of the financial damage. Just like with any other type of insurance, consider buying what you can afford, which will vary based on the size of the company, says Burrel. An insurance company will also generally have staff or consultants who advise the attacked company on next steps, such as which local, state, or federal authorities to contact.
After a cybercrime, a business may need to purchase new software or hardware or hire an independent forensic investigator or legal counsel. And if customer data was potentially stolen during a breach, the company may need or want, depending on local regulations, to offer free credit monitoring to customers affected by the breach for a set period of time.
Looking to the Future
Cyberattacks of critical infrastructure are a growing concern nationwide. “As a company that helps maintain, provide and source those sorts of infrastructure,” says Van Orman, “that’s a venue that we have our eyes toward because we’re going to become targeted even more so as hacking moves toward infrastructure, not just dollars.”
Van Orman is also tracking changes in chipset technology (chipsets are part of a computer’s motherboard or expansion card), further emphasizing the importance of keeping hardware up to date.
And Nedoba recommends monitoring potential changes to local, state, and national laws and regulations regarding credit card processing and fraud protection.
A world with cybercrime seems scary, but following the old adage of trust, but verify can go a long way in helping keep an HVAC company safe.
- Not If, but When: How to Prevent and Mitigate Cybercrime - December 5, 2022
BECOME AN ACCA MEMBER