Trends and Technology
6 Cybersecurity Threats Every CFO Should Know About
September 25, 2020 |
The C2FO Team
As any financial executive knows, the threats to company data are constant. Here are six common tactics cybercrooks may use to hack into your business.
Remember the great Twitter hack of 2020? Cybercriminals launched a Bitcoin scam by hijacking the accounts of high-profile users like Barack Obama, Kim Kardashian, Jeff Bezos and many others.
The hack took place on July 15. If it already feels like a distant memory, that’s because new reports of cybercrime just keep coming. Hundreds of cyberattacks have occurred in 2020 alone, including the staggering data breach at Magellan Health and the theft of 500,000 passwords from Zoom soon after it became the go-to videoconferencing app of the COVID-19 era.
Cybercrime is a leading threat to businesses, one that every executive needs to take seriously. Here are six of the top cybersecurity threats facing us today, along with a few suggestions for preventing or responding to them.
Phishing usually comes in the form of an email or text appearing to be from someone the recipient knows and contains an attachment that installs malware when opened.
Phishing scams are easy to perpetrate because they take advantage of people’s trust in their friends and coworkers. Even those of us who know better may carelessly open an attachment if we think we know who it came from. An attacker needs to catch only one worker off guard to do substantial damage to an entire organisation.
While phishing is an old scam, it remains one of the most common. According to one report, an estimated 78% of cyber espionage incidents in 2019 were related to phishing. The tactic has become more effective as attackers have adopted more sophisticated techniques. Some are moving away from email to cloud apps, exploiting victims’ trust in those systems. Others have started using artificial intelligence (AI) to make their phishing messages look more trustworthy or even mimic an executive’s voice. As cybercriminals keep improving their methods, businesses and their employees need to keep up.
What to do about phishing
Since phishing exploits human behaviour, the first line of defense is training. All employees need to understand what to watch out for and to think before clicking on any suspicious attachments or links. Another preventative measure is to give access to sensitive data only to those individuals who absolutely need it to do their jobs. While this “policy of least privilege” may be challenging to implement, it can be an effective tool for preventing phishing attacks.
In a ransomware attack, a system will remain inoperable until the user pays a hefty fee to have the data released. In many cases, the victim has no other choice but to pay. Healthcare providers, city governments and school districts have recently been victims of ransomware attacks.
Ransomware continues to grow more sophisticated and harder to detect. While it has often targeted smaller businesses and government entities that lack the latest security software, it may soon evolve to the point of targeting highly secure cloud data.
What to do about ransomware
Firewalls should be strong and up-to-date to prevent ransomware from infiltrating your systems. All company devices should have the latest antivirus software installed. Since ransomware is often distributed through phishing, education of all employees is of utmost importance in preventing attacks. Just as important: you need a plan for responding to a ransomware attack. All data should be backed up in a separate, secure location so that operations can resume as soon as possible after an attack. A communications strategy should be in place for informing customers, shareholders and employees about the breach and the company’s response.
With such a variety of devices connected to the internet, many of them brought to market quickly and without advanced security features, it’s no wonder that cybercriminals have started exploiting their vulnerabilities. These appliances serve as entry points where malware can infiltrate a network.
What to do about IoT attacks
It’s important to keep track of all smart appliances used in your business and to make sure the firmware on those devices is updated. Use strong passwords for all accounts. Research each device and evaluate the security risks it poses before allowing it into the workplace.
Employees have both inside knowledge of your organization and access to data that cybercriminals want to get their hands on. It may be that a disgruntled employee, or one who’s motivated by personal gain, intentionally introduces malware into the company’s systems. More often, the internal threat is someone who either doesn’t understand a security protocol or neglects to follow it. In either case, the costs can be enormous.
What to do about insider threats
As with so many cybersecurity threats, education of the workforce is key. Employees should receive thorough training and frequent refreshers to help them guard against spam and phishing attacks. Another important safeguard is to make sure that access to sensitive data is well regulated. Many companies are lax about this, allowing “Superuser” or admin-level access to almost everyone who uses a network. Restricting access greatly reduces the odds that one of your employees will be the vector of a cyberattack.
Now, of course, hundreds of thousands of employees do their jobs from home, and many may continue to do so even after the pandemic is over. Remote workers are often at risk because they lack the perimeter security — the firewalls and other protections — that are standard in most corporate offices. If they use mobile phones for work (as more and more employees do), their devices may not show the standard warnings of phishing attacks or suspicious attachments.
What to do about remote worker vulnerability
A strict set of protocols for working at home can minimize the cybersecurity risks of remote work. A good policy is to require that only company devices be used for work, or at least that all devices be approved for offsite business. Use of a virtual private network (VPN) should be mandatory to ensure a secure connection. Be sure your cloud computing service has the best possible security and require that all employees use it.
Machine learning and AI are becoming so advanced that they’ll soon be able to create a fake photo or video, complete with sound, that’s indistinguishable from a genuine item. Politicians will be made to say damaging things they’d never say in real life. Videos will show celebrities making career-ruining gaffes. And, of course, cybercriminals will find ways to exploit this advancing technology for their own ends. Imagine how much more effective a phishing attack will be when the sender looks and sounds exactly like the recipient’s trusted friend or coworker?
What to do about deepfakes
Although deepfakes have already proved convincing on the internet and social media platforms, they can still be detected. One method consists of observing the different “noise profiles” of images captured by a camera and those created by a computer. As AI-generated deepfakes become even more advanced, AI detection techniques will need to keep up with them so that they can be blocked before they do damage. And once again, employees will have to be trained not to assume that any message is real until they confirm it with the sender.
Those are six of the top cybersecurity threats facing businesses today, but this list is only a start. Other threats include mobile malware, DDoS attacks and 5G-to-Wi-Fi vulnerabilities, to name just a few.
The most important thing to keep in mind is that cybercrime is constantly advancing right along with technology. Legacy defenses like antivirus software are still important, but they’re no longer enough to contend with the sophisticated tools and techniques that attackers now use.
In fact, cybercrime has become a major industry in itself. New business models like malware-as-a-service make tools available to anyone wishing to make easy money by launching an attack.
Never has it been more important to make sure that your cybersecurity technology is up-to-date and that your workforce is properly trained in preventing attacks.