Cyberattacks are gaining momentum

Companies can employ a few important measures to mitigate financial and data security risks.
327
Experts say Russian hackers already launch malware attacks, which enable bad actors to control or gather information from information systems. Courtesy iStock

A new report from the Federal Bureau of Investigation found cybercrimes cost Michiganders more than $181 million last year, and a local expert says the risks will only continue to rise amid the Russia-Ukraine conflict.

The FBI’s 2021 Internet Crimes Report showed Michigan was eighth among all 50 states by reported victim losses in the millions of dollars last year, with losses of $181.6 million. The report also showed the number of complaints and dollar amounts of losses have been rising steadily over the past five years, with U.S. losses of $1.4 billion across 301,580 complaints in 2017 and losses of $6.9 billion across 847,376 complaints in 2021.

David Siknia. Courtesy Plante Moran

David Sikina, a senior manager in the cybersecurity division at Plante Moran’s Grand Rapids office, recently spoke to the Business Journal about a few steps companies can take to avoid cyberattacks.

A blog post Sikina co-authored, “Rising cyber risks amid recent events: Measures you can take to prepare for evolving threats,” published March 8 on Plante Moran’s website, stated that as the Russia-Ukraine conflict continues, Russia likely will continue to escalate cyber warfare against the U.S. to obtain or destroy sensitive data, slow down the supply chain and sabotage other aspects of the economy.

Sikina said Russian hackers already launch malware attacks, which enable bad actors to control or gather information from information systems; data-wiping malware; malware that exfiltrates sensitive information; ransomware and advanced ransomware techniques to steal data in addition to locking company networks; and social engineering to gain information, passwords and fodder for future cyberattacks.

Small companies in Michigan should not assume they will be immune to the risks, Sikina said. For instance, as large corporations in the manufacturing sector beef up their security processes, Russian hackers could potentially go downstream and target smaller suppliers to interfere with their ability to manufacture chips and components. Likewise, financial institutions could be targeted and experience the theft of data and assets.

The FBI report showed that phishing (scams via email to induce recipients to share sensitive information) vishing (voicemail phishing), smishing (SMS text phishing) and pharming (using malicious code on the victim’s device to redirect to an attacker-controlled website) were the top forms of cybercrime in 2021.

“(Phishing) starts the chain of compromise on the system or on their account, and that’s still predominantly the way that hackers are getting in,” Sikina said, noting older employees often are targeted because they tend to be less tech-savvy and have more available funds.

The next most common forms of cybercrime in 2021 were nonpayment/nondelivery, personal data breach, identity theft and extortion.

Regardless of their industry, Sikina said organizations should see now as the time to create a multi-layered approach to cyber risk mitigation, using the expertise of an IT vendor or an internal cybersecurity team.

In addition to having strong information security policies, it’s important to raise employee awareness on the prevention end. He said employers and their employees should strive for the following:

Be vigilant

Don’t click suspicious links in emails, download malware while on the internet or give out passwords to anyone to whom you would not give the combination of your safe, he said.

“Because of phishing attacks, your employees are your last line of defense from a cybersecurity perspective. The more aware they are, the less they are going to click on a bad link or respond to an invalid email,” Sikina said.

“This translates into the personal, too, is something I always stress when I do awareness training with staff.  … Everybody has a personal email, and we all have banking accounts and brokerage accounts and things that we’re logging into every day in our personal life, and all of that applies there equally.”

Take more care

Be careful about where you store sensitive information. Where do you store your tax returns: online or on your home desktop? The same goes for sensitive company information. Is the location encrypted and is access controlled by strong tools such as unique passwords or multifactor authentication?

“We liken it to locking the doors and the windows to your house — doing the basic things like enforcing strong, robust passwords, using multifactor authentication, patching their systems, having a good detection and response solution in place, the basic building blocks of cybersecurity — those are still part of the overall solution and very important to do on a day-to-day basis,” Sikina said.

Be more prepared

Prepare as if you will get hacked, Sikina said. If a hacker is holding an organization’s systems hostage, they will have less to worry about if they have a plan in place.

“We’re seeing the dual-threat attack these days — not only will (the attackers) encrypt systems and make them unavailable, but prior to doing that, they will exfiltrate sensitive data and use that as additional leverage to get a company to pay the ransom,” Sikina said.

“If you’re being targeted by a cyber gang or a nation/state, if a particular organization is being targeted, it’s very difficult, because they’ll spend weeks, even months looking for a way into an organization and find a compromise and a way to leverage the systems in there, and so you’ve got to be in a position where you can defend and respond to that. In the case of ransomware, you’ve got to have a plan in place to recover your systems, to communicate to your employees, and that might be difficult if all your computer systems are unavailable. So having what we call an incident response plan in place is very key.”

Sikina and his co-authors, Joe Oleksak and Mike Lipinski, wrote in their blog post for Plante Moran that companies can take the following steps to reduce their organization’s risk:

  • Communicate regularly to users and stakeholders. Advise them of the threats and remind they are a critical part of mitigating cybersecurity risk.
  • Review the status of patches and updates for systems and software.
  • Test the health of recent backups and stage a test recovery.
  • Review the incident response plan. Run a tabletop exercise to test the plan.
  • Review alerts from threat detection systems.
  • Test and validate the effectiveness of security controls and systems.
  • Contact cybersecurity vendors for updates and information.
  • Get updates from reliable cybersecurity resources, such as the Cybersecurity & Infrastructure Security Agency.

Facebook Comments