Home Posts tagged information security

How to Protect Your Business from Cybercrime in a Digital World

By Contributor
Cybersecurity

Strong Defenses

By Terra Carnrike-Granata and Andrew Frisbie

 

The ever-evolving digital world we operate in each day offers infinite opportunities for business growth and development, but it also presents many risks.

On the positive side, the artificial intelligence (AI) boom provides businesses of all sizes ways to streamline processes and operations, reduce costs, and generate revenue. On the other hand, the explosion of AI technology has created new pathways for sophisticated cybercriminal enterprises to attack.

According to a recent study from Massachusetts IT Sloan Cybersecurity and Safe Security, 80% of ransomware attacks are powered by AI-generated malware, phishing campaigns, and deepfake-driven social engineering. The study asserts that “AI has made ransomware attacks faster, more efficient, and harder to detect.”

In today’s threat landscape, hacking is a business. Sophisticated organizations operate like legitimate businesses, and their primary goal is usually financial gain through theft, extortion, and exploitation. These fraudsters have legitimate businesses of all sizes in their crosshairs.

According to a survey from Mastercard of more than 5,000 small and medium-sized business owners, 46% have experienced a cyberattack on their current business, and nearly one in five that suffered an attack later filed for bankruptcy or closed their business. Smaller businesses often do not budget for adequate cybersecurity protection and have fewer internal resources dedicated to cybersecurity, and criminals know it.

Terra Carnrike-Granata

Terra Carnrike-Granata

Andrew Frisbie

Andrew Frisbie

“Educate your employees. A robust security program, combined with awareness of warning signs, safe practices, and responses to takeover, are crucial for protecting your company and customers.”

But even small or medium-sized businesses with limited cybersecurity budgets and resources can use these strategies to protect their assets from cyberattacks:

• Require multi-factor authentication (MFA). If your business does not require MFA, you are taking an unnecessary risk by leaving accounts and personal information unprotected and vulnerable to attack.

• Ensure all employees use strong, unique passwords, or consider passwordless options for improved security. The most important characteristic of a strong password is length, with between 12 and 21 characters recommended. Good passwords also avoid predictable patterns (such as 123456 and qwerty), and should not include personal information like birthdays, addresses, or phone numbers. Passwords should also be unique for every login. Passwordless options use passkeys or biometric identifiers in place of passwords and can be very strong if implemented properly.

• Install antivirus software on all company devices. Antivirus software protects devices from known and even suspected malware, which can steal your data, encrypt it so you cannot access it, or even erase it completely.

• Keep all device software patched and up to date. Patching is fundamental to security because fraudsters exploit known vulnerabilities. By keeping software up to date, devices receive regular security patches, which makes it much harder for hackers to exploit.

• Educate your employees. A robust security program, combined with awareness of warning signs, safe practices, and responses to takeover, are crucial for protecting your company and customers.

• Invest in third-party cybersecurity expertise. Getting outside eyes on your company’s security environment is critical to a well-rounded security posture. In most cases, the cost of an outside security consultant is reasonable when compared with the cost of a breach, including business downtime, reputational damage, a potential ransom payment, and data loss.

• Invest in adequate cyber insurance, which helps mitigate the financial impact of cyberattacks and data breaches by covering costs related to incident response, data recovery, legal fees, business interruption, and other potential liabilities.

The rise in AI usage has also spurred an increase in high-quality email impersonation attacks and business email compromise. With higher quality phishing and social engineering tactics, scam emails look more realistic, so it is important to remind employees to pause and evaluate before responding, clicking on links, or downloading attachments. Encourage employees to report suspicious emails to the network administrator to be checked for signs of trouble.

Financial institutions will never ask for personal information or account credentials in an email or text message, so it is good practice to call your bank directly if a suspicious email, phone call, or text raises concerns about your business bank accounts.

It is important to note that, even with processes and protections in place, businesses can experience cybersecurity incidents and should be prepared to respond immediately. In the event of a cyber incident, businesses should cease all activity on the network or system, contact their bank(s), and change online banking passwords. Depending on the level and seriousness of the incident, businesses may also need to file reports with local police and the FBI’s Internet Crime Complaint Center.

It is also critical to keep meticulous records of events around the incident to aid in the recovery process. NBT Bank’s Business Fraud Information Center provides a full range of resources and information as well as up-to-date fraud information and alerts to help protect your business from becoming one of the thousands victimized by scammers each year.

 

Terra Carnrike-Granata is senior director of Information Security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats. Andrew Frisbie is vice president and director of Information Security at NBT Bank, where he provides strategic leadership to and operational oversight of the Information Security, Cyber Operations, Third-party Risk Management, and Insider Risk Management programs.

Strengthening the Human Element in Cyber Defense

By
Cybersecurity Special Coverage

Sophisticated Game

 

 

There’s no doubt, information security experts say, that people have become more savvy about detecting phishing attacks and other cyber threats.

Unfortunately, the hackers have become more savvy as well — exponentially so, in the era of artificial intelligence — and that’s a problem.

“The risk is getting worse, not better,” Bean said. “The sophistication of the attacks is getting infinitely better, and the variety or complexity of the attacks is getting significantly higher. And a lot of that is driven by AI.”

Elaborating, he explained that there are essentially two types of phishing attacks. One is the bread-and-butter, scattershot attacks that hope to ensnare as many random recipients as possible. And these hackers — many of them operating from foreign countries where English isn’t their first language — are now using AI to craft emails that sound more plausible, and don’t set off the same alarm bells as their cruder predecessors.

“But then there are high-value attacks, which are much more sophisticated and much more intelligent. They’re not just mass attacks sent out to hundreds or thousands or millions of people. They’re targeted attacks,” Bean said — and these employ AI to a troubling degree.

He related a real-life example of a CFO getting an email from a hacker posing as a vendor, urgently asking for a payment, at a time when the CEO was traveling and unavailable (which the hacker knew). To verify the transaction, the hacker set up a Zoom call with what turned out to be a deepfake version of an actual attorney.

“The lawyer says, ‘this is what the money is for; go ahead and wire it.’ And the CFO, at that point, is very comfortable and sends the money, no hesitation,” Bean said. “That kind of deepfake would have been impossible even three years ago; only Hollywood could provide that level of sophistication. But in the last couple of years, it’s so easy. You can get content online, combine it with certain tools, and do some really impressive stuff that’s beyond phishing — it’s straight-up cybercrime.”

Tim Miller, chief Information Security Officer at Community Bank, agreed that malicious AI tools are helping to create perfectly crafted phishing emails that are specific to a company or individual user, which is why the bank’s employees are not only trained on a regular basis to detect these threats, but tested as well.

“You don’t want to create a simulated fishing program without some level of training tied to failures,” he explained. “And you’ve got to make it believable; you’ve got to make it good. Sometimes that upsets people; we’ve done tests in the past that people have gotten really upset about, but that’s what these threat actors are doing. They don’t care what your feelings are. The point is to get an emotion out of you, a sense of urgency, of fear, and that’s how they get you to click.”

Exploiting the human element in cybercrime — known in IT circles as social engineering — is an ongoing concern for companies of all sizes.

Delcie Bean

Delcie Bean

“The risk is getting worse, not better. The sophistication of the attacks is getting infinitely better, and the variety or complexity of the attacks is getting significantly higher. And a lot of that is driven by AI.”

Hoxhunt, an organization that helps companies with IT risk management, notes that the human element is a factor in 68% of data breaches, according to a Verizon report. Of those, the Comcast Business Cybersecurity Threat Report says 80% to 95% are initiated by a phishing attack, and the total volume of phishing attacks has skyrocketed since the advent of ChatGPT in 2022.

“I think the risks from AI are going to continue to develop, and we’ve already seen significant changes from what the risks were before,” Miller said. “What was theoretical risk a year ago is actual risk now, and what that’s going to look like a year from now, I think, is somewhat unknown.”

 

Damage Done

For companies that do fall prey to cyberattacks and data breaches, the damage can be significant, Miller said, especially for companies (like banks and hospitals) in highly regulated industries, publicly traded companies, and businesses that operate in multiple states.

“Even if you deem it a small-scale event, it can mushroom very quickly,” he noted. “Now, let’s take the example of ransomware, where they’re able to get in and actually encrypt your data. In almost every ransomware event over the last couple of years, they’ve combined that with data exfiltration. So not only are they preventing you from accessing your files, they have a copy of it themselves. So it’s a combination of them wanting money from you, and they have the data already.”

Another big risk in these events is reputation risk, he went on.

“If a customer knows that you’ve had a security incident or a breach, especially a significant one, how do they know their data is going to be protected going forward? How do they know that the company is ultimately going to be able to protect them in the future? And are they more likely to find somebody else to do their business with? That’s the thing with cybersecurity incidents — it starts to degrade trust a little bit, which makes it challenging for companies to overcome.”

That’s why cybercrime is actually much more prevalent than public reports would suggest, Bean said. “You’re not going hear about 95% of them. The CEO or CFO doesn’t want to let that story get outside their little circle of trust.

“Ransomware has always been much more prevalent than we knew about because companies were keeping it secret, unless it caused a significant outage, like a hospital or an entire town being taken down,” he added. “For every one of those, another 100 businesses were hit quietly, and they dealt with it, and they weren’t telling anyone because they didn’t want it reaching the world because of loss of credibility and fear of lawsuits — and a lot of cybercrime stayed under the radar.”

Bean emphasized that the classic, non-AI attacks that have been around for years are still prevalent — essentially, “they’re trying to get you to log in and do something.” But these have become more sophisticated and targeted as well.

“They’ll know that you placed an Amazon order — ‘there’s a problem with the delivery of your dog food; click here if you still want to receive this order.’ They use very sophisticated tools to scrape your cookies when you’re on websites, and they see that you’re browsing for dog food, they assume you placed the order, and they send a very targeted attack. That stuff is growing.”

Miller said Community Bank communicates regularly with customers on how they can avoid becoming victims, while also making sure employees know what to look for.

Tim Miller

Tim Miller

“If a customer knows that you’ve had a security incident or a breach, especially a significant one, how do they know their data is going to be protected going forward? How do they know that the company is ultimately going to be able to protect them in the future? And are they more likely to find somebody else to do their business with?”

“It’s important, from our perspective, to make sure everyone inside the company understands that cybersecurity risks are everyone’s responsibility. It’s not just my role,” he explained. “And it’s important for the folks in our branches to understand what these threats are because they are the frontline to customer interactions. And if they can relay some of the information to them, that’s obviously beneficial for all.”

That’s especially true at a time when threats are increasing. “I mean, the concept of deepfakes is very much here, and it’s not going anywhere. And that’s a concept that’s really challenging for people to grasp,” Miller went on, going back again to what he emphasizes internally, which is the importance of following established processes — for instance, when a possibly deepfaked company executive is asking for a wire transfer.

“It goes back to adhering to your processes and not necessarily going off of your emotion — because your emotion in that instance would be, ‘I want to satisfy the CFO by making this wire.’ But the reality is, you might have a verification step where you call the CFO back. These attacks have gotten so good that the whole ‘smell test’ piece may not work anymore. So you have to go back to certain things that you know will identify those risks.”

 

Strong Defense

Bean emphasized the importance of both training and testing employees, saying one without the other isn’t enough.

At the same time, however, “we’ve had to shift to almost accepting that there’s going to be a certain amount of successful phishing attacks. It’s like a war — you have to cede one line in the battle and retreat to a different position that you feel is more defensible.”

And that second position, in many cases, has been recognizing what a successful breach looks like — often using AI systems to monitor that — and locking it down before damage is done.

“Most commonly, they’re stealing Microsoft 365 or Google Workspace credentials. But the second they log into the system, there are certain hallmarks about how that’s going to look. The login is different in subtle ways; a login by a bad actor sends up suspicious flags. An AI system can evaluate that login, and if there’s anything remotely suspicious, a human can lock the account, send a report to us, and we take over the case from there.

“That’s definitely been a godsend. We’re seeing hackers getting through MFA [multi-factor authentication] or getting a password through phishing, but we’re catching them the instant they log in,” Bean went on, comparing it to having both external home security and motion sensors inside the house. “The police arrive before there’s any damage.”

He added that this is a war being fought on multiple fronts, and companies need to take it seriously, through training, testing, and perhaps an outside partner.

“If someone can get in, it can be anywhere from a couple hundred thousand dollars to a couple million, and most businesses don’t have that floating around. Some go out of business or face financial hardships that might not be covered by cyber insurance. It’s not something you can afford to underinvest in.”

Miller added that “a lot of companies, especially smaller companies, don’t have budgets to invest in the latest and greatest, and that’s fine. It’s more about, are you patching your systems? Are employees aware of newer threats? There’s a lot that companies can do.

“These are the basics of cybersecurity — which, honestly, is what protects you 99% of the time,” he added. “It’s doing the basics of being skeptical. That’s one of the keys with phishing and all these other types of fraudulent attempts — being skeptical about it.”