Did cyberattacks against businesses increase during the pandemic?
Phishing email attacks have become increasingly sophisticated
March of 2020 hit most businesses owners like a ton of bricks. No one could have ever imagined a situation in which business would cease operating in the way they were accustomed.
Most certainly, we found CEOs of companies that never would have imagined offering remote work for their staff backed into a corner where they had to do just that.
Most businesses had done advance zero planning for such a situation, which meant they had to do it fire-drill style.
Unfortunately, the way most companies did this was with little to no attention being paid to security. Coupled with the fact that most organizations have approached cyber security training for their staff in a lackluster fashion, it was a recipe for disaster.
In 2020, there was a 150% increase in Ransomware attacks with the average extortion amount doubling. There was a 630% increase in attacks on cloud accounts last year.
What was driving these increases? Two things: most businesses were operating less securely than they were pre-pandemic, and their employees had been sent home without the tools to be cyber aware.
Cybercriminals found out long ago the easiest way into most organizations was through their staff. Phishing email attacks and credential stuffing are pure gold.
In companies where employees are not required to regularly change their passwords, they tend to reuse the same password or a variation of a password over and over. As breaches occur over time, these passwords become available for sale on the dark web. Credential stuffing is when cyber criminals can gain access to another resource using this readily available information.
We have seen bank accounts, credit cards, payroll accounts, and Office 365 accounts being accessed. In the case of Office 365, once they gain access to an administrator login, they have the “keys to the kingdom” as far as the company data is concerned. Or when obtaining access for the payroll provider, they could divert the entire payroll run for a company elsewhere.
A phishing attack is when an email is sent into an organization and, when clicked on, releases a virus that then travels through an entire organizations’ computer network. They have become much more sophisticated and targeted over the last year. Making them more difficult to spot. In addition to ransoming the attacked company, in the 2020 criminals have upped the ante and have started to also ransom their customers and employees. The game has changed.
This is a Lucrative Business
The reason the ransoms continue to increase is because time and time again, there is payoff, like both the cases of Regis University and the City of Lafayette that experienced ransomware attacks in 2020 and paid their respective ransoms.
By the end of 2021, cybercrime damage costs are expected to hit $6 trillion annually.
3 Things Businesses Can Do to Mitigate Their Risk
1. Employee Training. Many successful cyber-attacks are aimed at the lowest hanging fruit. Our staff. Providing ongoing training for your people and for yourself is one of the best things that you can do to lower the risk to your company. Training should include such topics as email safety, internet browsing, password management, unauthorized software, social engineering, and safeguarding company data.
2. Review Your Cyber Security Insurance Policy. While a cyber security insurance policy is certainly no get out of jail free card; it is absolutely something that you should have. Reach out to your commercial insurance agent to make sure that you have a standalone cyber liability policy with an appropriate level of coverage for your company.
3. Get a Cyber Security Assessment. Make sure that you are regularly assessing where your organization stands as it relates to security. This is a moving target, and you must remain fluid with it as well. It is important to have your provider look at the cyber policy to make sure that all the requirements of the policy are being fulfilled or you could end up with a denied claim when your company is on the receiving end of an attack.
Cybersecurity simply is not an IT problem, it’s a business problem
It is a business problem that grows both in its potential cost to our businesses in both reputation and revenue. Its impact is growing year over year because many businesses have decided to simply ignore it. The time in which that is a feasible option is long gone. From this point forward it simply must be part of the strategic planning process for your business.
Jeri Morgan is the co-Author of the books Hack Proof Your Business, Adapt and Overcome and is the CEO of Denver based Code Blue Computing which provides Cyber Security and IT Support Services to businesses.