Don’t Make Hackers’ Jobs Easier: Tips to Avoid Cyberattacks
This article originally appeared on www.sleeter.com.
Picture a big, burning fire. Red and orange flames inflicting catastrophic damage. Behind every fire is a catalyst, something that sparked its ignition, or a series of events that made it inevitable. Data breaches are like fires in this way. When a data breach occurs, executives and IT leaders look at the burned out husk of their network infrastructure and ask themselves incredulously, “How did this happen?” and “Why did this happen to us?”
Todd O’Boyle will present the session, An Accountant’s Guide to Cyber Threats, at Accountex 2016.
What many firms don’t realize is that while hackers were the ones to carry out the attack, their own reactive cybersecurity strategy provided the bad guys with the fuel for the blaze. To stop these breaches, CPAs and accounting professionals need to understand how these hackers work, and the motivation behind their actions.
Hackers are typically fueled by two distinct motivations: they either want your money or your information. These hacker goals require separate sets of preparations to defend your data that, if done correctly, can help organizations mitigate risk.
Hackers trying to steal money are typically a loud bunch. They look to break into a firm’s network, encrypt critical information, and then try to extort CPAs and accounting professionals for as much money as possible before they give them back access to their files.
These types of cybercriminals commonly use two tactics when trying to get into your system:
1. Phishing attacks; or
2. Malicious advertisements, also known as malvertising.
These attacks are typically high-volume and slightly personalized, as the cybercriminals’ goal is to deliver their malicious wares to the widest number of recipients possible.
Money Theft: How It Works
This kind of attack tends to start with a phishing email—a message that entices the reader into opening a malicious file. Since the attacker is looking for the simplest and most effective way into the corporate network, they often impersonate trusted government agencies or corporations (i.e., FedEx, TurboTax, or the IRS). They typically send an aggressive message that warns that the recipient must “RESPOND IMMEDIATELY!” and that creates a sense of urgency in the reader.
These emails will have a malicious link or attachment that runs malware when people open them. Once that foothold is established, the malware encrypts every file within the network and then delivers the attacker’s ultimatum—pay me or lose all your data.
Money Theft: What You Can Do
In the case of ransomware, an ounce of prevention is worth a pound of cure. Convincing your staff and peers not to open attachments with macros or unknown PDF documents stops this attack cold, with no impact on your business. You can also support this education with anti-malware solutions that will protect users who click. If you can prevent the malware from even entering, it’s a non event.
If the ransomware takes control of your data, that’ll be a rotten week. The most powerful tool any accounting practice can have in place to battle a ransomware infection is a sound data backup policy. Because all of your company’s files will be held ransom, having copies stored off-site erases the attackers’ leverage. Restoring from backups should be your contingency plan, however. You’re looking at a costly, multiple-hour data restoral task that could cripple your business. That said, it’s a far better outcome than having to fork over thousands of dollars to a hacker, or having the files erased.
Not all hackers go into an attack looking for your money—sometimes they want your information. These data thieves are usually on the hunt for your company’s sensitive financial and customer data. Unlike their bombastic money-grabbing counterparts, hackers trying to steal information are much stealthier and carefully target their victims. Rather than force firms to give them money, they want to observe and gather as much data as possible as quietly as possible so they can play the long game of stealing from you for years. These data-gathering attacks take time and effort on the part of the cybercriminals, but the gains are much higher on average than from a one-time hit for money.
Information Theft: How It Works
Data thieves use phishing emails in this type of cybercrime as well, but with a slightly different approach—low-volume, highly targeted emails against specific people, frequently impersonating a CEO or other leader within the firm. This tactic is known as “whaling,” and involves cybercriminals researching how their victim writes emails, who they have personal relationships with, and how to navigate business processes inside your organization.
Example of a whale phishing email:
Look at this press release Dewey, Cheatham, and Howe, LLC put out! I can’t believe their CEO is under indictment for mass fraud inside the organization!
“DCH, LLC Fraud Response Press Release.pdf”
Lurking inside that PDF is the latest malware. Once you open it, attackers can begin their task of stealing information from you. Ask yourself: Would you open this if you thought it was from one of your staff?
Information Theft: What You Can Do
Educating yourself and your staff on common phishing tactics is, once again, your best bet to protect yourself. The challenge here, though, is that the attackers are going to appear as your colleagues. They’ve done their homework and will be sending you convincing emails to open.
This is an attack where you need to employ an anti-malware solution that can stop phishing emails but that also helps you to discover and respond to such an intrusion and does not involve a big IT and cash investment. Strongarm, for example, is a malware protection solution that was built to solve this problem for small to midsize businesses and is affordable, easy-to-use, and can be set up in under 10 minutes.
As you can see, hackers have built up an innovative arsenal of attacks, making cybersecurity a never-ending battle. Businesses put themselves in a better position to successfully protect their data if they understand cybercriminals’ motivations when mapping out the firm’s cybersecurity strategy. CPAs and accounting professionals that take the time to build resilience within their networks will be rewarded tenfold when hackers inevitably come knocking and decide, after scoping out your defenses, to go find a softer target.