At the 2017 Midmarket CIO Forum, Brian Hill of Computer Forensic Services explained how to protect your company from threats such as ransomware, phishing, and IoT vulnerabilities.
As enterprises continue to add new technologies to the business, CIOs must be constantly alert to the cybersecurity threats that those technologies open up. At the 2017 Midmarket CIO Forum in Savannah, GA, Brian Hill, vice president of corporate investigative services at Computer Forensic Services, explained several major security vulnerabilities currently facing businesses.
"Cybersecurity is ever-changing," Hill said. "With technology we gain a ton of convenience, but every time we gain convenience, we always give up some security. It's about trying to find that fine balance in between those."
Here are six major enterprise security threats, and tips for how to avoid them.
Phishing emails are a common way hackers gain access to enterprise systems or trick business leaders into fraudulently wiring money, Hill said. "Big companies are hard to attack, so hackers have to attack you, the individuals," Hill said. "It's where the vulnerabilities are. People click on links."
Cybercriminals have grown in sophistication since the days of the Nigerian prince emails, Hill added. Using information from social media accounts and fake logos that make their messages seem more legitimate, they can directly target individuals at a company.
SEE: Information security incident reporting policy [download] (Tech Pro Research)
2. CEO spoofing
CEO spoofing is a similar concept to phishing, but with a twist: It tricks users via an email, instead of a link. It can occur like this: Using social media, a cybercriminal can see when a CEO is at a conference. Then, he or she can send an email that appears to be from the CEO to the CFO, saying "I'm here in China, we need to make an acquisition immediately, please transfer me $1 million."
This can happen on a large scale, Hill said: Last year, Fifth Third Bank was sued after an employee wired $52 million to a fraudulent account.
"The big key message is to slow down," Hill said. "Make sure to educate everybody that works with you. This can happen to anybody." Attacks like these demonstrate why it is important to verify all business transactions before putting them through, he added.
3. Insider threats
Insider threats are a major cybersecurity concern for enterprises that are often overlooked, Hill said. Employees may resign or be terminated, and create a backdoor for themselves, or take data with them to a competing company.
One way to protect against this is to revoke employee credentials when someone leaves the company, Hill said. In one major county in Minnesota, thousands of employees never had their credentials revoked when they resigned or were terminated. It was in the policy manual, but no one was actually doing it, Hill said, leading to major security risks.
4. Zeus malware
In 2010, more than 100 people were arrested in a major cyber crime ring after using phishing emails to infect computers of small businesses and individuals in the US with Zeus, a type of malware used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus allows criminals to access users' online passwords and bank account details and transfer money out.
In the case of Minnesota's Society of Corporate Compliance and Ethics, a nonprofit that Hill worked with, one of the cybercriminals in the ring hacked into a bookkeeper's account by getting her to click on a link in an email that appeared to be from the FDIC. They were able to transfer $952,800 to Romania, and were arrested at the bank, Hill said. One of the criminals was a decorated Ukrainian general.
5. Internet of Things (IoT) vulnerabilities
"Everything today is connected," Hill said, which can make our work and personal lives easier, but also opens up a number of new security concerns.
This is especially the case for businesses such as connected public utilities, Hill said. Remote access to these systems can be convenient for solving problems in off-hours, but also creates security vulnerabilities. For example, in Blaine, MN, the IoT-controlled water system was shut down twice in two months this year, leading to school closures and a city recommendation to boil water before drinking it.
Without strong website security, hackers can often gain access to utilities such as water towers and wind turbines. Oftentimes web cameras found in stores or businesses are unsecure, and criminals can easily gain access and move the cameras around, including to watch employees type in account information. It's also key to change the password on IoT systems after they are installed, as hackers can easily download instruction manuals and find the default password, Hill said.
Ransomware attacks have exploded in number in the past year, research shows. "Ransomware is a huge threat, where perpetrators will come in, access your network via a phishing scam or other means, and then encrypt all of your data, leaving you virtually helpless unless you pay the fee or keep current backups," Hill said.
The best way to protect against it, other than educating employees not to click on unfamiliar links or emails, is to backup your information, Hill said. That way, you can wipe your system and avoid paying the ransom but still have access to your data.
- 5 reasons your company can't hire a cybersecurity professional, and what you can do to fix it (TechRepublic)
- Video: What the Secret Service can teach us about cybersecurity (ZDNet)
- 40% of industrial computers were hacked in 2016, here are 5 ways to protect your business (TechRepublic)
- IoT devices can be hacked in minutes, warn researchers (ZDNet)
- Remote access policy (Tech Pro Research)