Cybercrime: Business Email is a Common Gateway

The increase in cybercrime in the past several years shows no signs of abating, and as more of our business and personal lives are online the potential for compromise of financial accounts, email, and company data keeps growing. Our vulnerability is compounded by the increasing sophistication and resources of cyber criminals.

In the workplace, business email is the entry point for the majority of cybercrime, and good password practices are vital to protecting company data.

Password safety

Central in the effort to protect company data from attack is a strong password policy. Employees should receive training in how to devise good passwords – and how not to.

What not to use:

  • Child’s first name and birthdate
  • Pet’s name
  • Past street address – Past and present street address
  • Name of your spouse
  • Wedding date
  • Your birthday or family member’s birthdays

These are all bad choices for passwords, as they are too closely related to data that may be found online about you and could make your accounts more vulnerable to hacking.

What to use:

  • Combination of uppercase and lowercase letters
  • Use at least eight characters, the longer the better – We recommend at least 12 characters
  • Abbreviated phrases – We recommend using passphrases

Phishing emails

Phishing emails lead the way as points of entry for cyber criminals. Phishing emails are emails that typically appear to come from someone you know, or from another company that you do business with, perhaps a vendor. Often, they use the logo of the company, and may even appear to come from someone inside that company with whom you regularly communicate with. How do they know who you regularly email with? They may already have access to your email account because they guessed your password and they’ve been monitoring your emails.

A phishing email may try to gain access to your company’s server or financial accounts by posing an “urgent” problem prompting you to change passwords or make a quick payment by credit card. Or it may contain a link that, if clicked on, gains access to your company’s network.

Ransomware

Emails also can expose businesses to ransomware, malicious programs that can infect computers by prompting a victim to click on a link which then allows the ransomware to attach itself to the computer and infect the company’s server.

Ransomware is exactly what the name implies – it locks up the company’s data, enabling the cyber criminals to hold the data hostage and demand a “ransom” payment in return for releasing it.

Some victimized companies pay the ransom, however there is no guarantee the cyber criminals will decrypt the data. Others ensure their data is backed up frequently enough so t if it were encrypted , they could decline to pay ransom and simply recover the data from the most recent backup.

Does cybercrime impact Ohio businesses?

In the recent Manufacturing Advocacy and Growth Network (MAGNET) survey of Ohio manufacturers, 52 percent of respondents reported their businesses had been the targets of phishing schemes, 35 percent said cybercrime had impacted their operations, and 22 percent had their data locked by hackers. Accordingly, a majority of companies – 65 percent – said they have implemented some risk awareness training for their employees, with most of them bringing in an outside cybersecurity firm for its expertise. Yet only 31 percent reported that they perform phishing exercises, breach attempts, or penetration testing as part of their cybersecurity efforts.

How to protect data

To protect your company’s data from cybercrime, at minimum take the following measures:

  • Back up your data as frequently as necessary to minimize the damage if it is compromised. This could be once every 24 hours. It could be once every hour. Consider how rapidly your company’s data changes – based on the size of your company, number of employees inputting data on a daily or hourly basis, and your marketplace – and devise a backup and recovery plan that would enable you to be back up and running as quickly as you need.
  • Be sure that your computer system is patched at least monthly. Patching means to fix security vulnerabilities or improve the operation of your system by fixing bugs. Patching must be done regularly; it’s not one and done.
  • Require vendors to show evidence of good cyber security practices. The major breach that Target stores experienced several years ago started with a vendor whose system was breached.
  • Train your employees to recognize the types of cybercrime that may compromise them, both in the workplace and personally. Include examples of phishing emails and descriptions of how passwords can be hacked.
  • Require employees to create safe passwords on all business-related accounts and give them examples of safe passwords so they understand what is needed. Passwords should be at least 12 characters or more.
  • Train employees not to use USB drives (“thumb drives” or “jump drives”) that come from a third party until your IT department has judged them safe. Such drives often are picked up at trade shows.
  • Use multi-factor authentication on all business-related accounts, if possible. Multi-factor authentication requires two or more independent credentials; what the user knows, such as a password, what the user has, such as a security token or smartphone app, and what the user is, such as a biometric verification (fingerprint or retina scan).
  • Advise employees not to access password-protected accounts on mobile devices using public wi-fi unless they use a VPN, a virtual private network that encrypts your data and communications.

Who are cyber criminals?

The old notion of cyber criminals being “lone wolves” sitting in a dark room and wreaking havoc on any computers they can gain access to is a bit passé.

Today, cyber criminals run the gamut from the lone wolves to crime rings that steal personal and financial information to sell on the black market, as well as spies from foreign governments looking for ways to launch cyber strikes.

One thing is certain – cyber criminals are becoming more sophisticated, more numerous, and more threatening. And most companies are more reactive in dealing with cyber threats than proactive.

For more information on the key risks associated with cyberattacks, read our recent article, “Protect Your Organization: Understanding Five Risks Associated with Cyber-Attacks.” If you are concerned about your company’s vulnerability to cybercrime, contact our cybersecurity team for a consultation.

 

Association of Internal Certified Professional AccountantsCPA Associates InternationalSmart Business World Class Customer Service AwardBusiness LongevityInside Public Accounting Top 300 FirmsMember of Exit Planning InstituteNC99 Logo