• Galvanize | Cybersecurity, risk, and resilience: Why your team must be ready

    By Kevin Juhasz for Hack Reactor

    In 2019, the Federal Bureau of Investigation received more than 465,000 reports of cybercrimes – about 1,300 reports per day – that cost businesses and individuals more than $3.5 billion. The amount of money being stolen by scammers has more than tripled in the last five years.

    The Covid-19 pandemic is not helping the situation. More employees are telecommuting than ever before, some using unsecure computers on unsecure networks. This has become ripe territory for scammers, and cybersecurity reports are up around 40% since the stay-at-home orders started.

    “At one time, most cybersecurity was focused on perimeter defense, and it was assumed that everything inside the perimeter was safe,” said Dave Hatter, Cybersecurity Consultant for InTrust IT. “Now you have people using devices that may or may not meet the profile for cyber hygiene, the cybersecurity team might not even be aware of it.”

    For larger companies, the news of a security breach can have a devastating effect on their ability to do business. For smaller companies, one fake e-mail could wipe them out. Scammers will go after any size business and target any employee they can find to open up access to a company’s accounts. This is why it’s important for companies to teach every single employee in the company about the importance of cybersecurity. 

    Not every employee in a company needs to be trained to the level of a cybersecurity expert, but every employee should have some type of upskilling to help them avoid a potentially serious issue. This is because the biggest problem in cybersecurity is fraudulent business emails. Even though email scams make up only 6% of the reports to the FBI, they account for almost half of the money that’s stolen, resulting in $1.7 billion dollars stolen in 2019 alone.

    The average office worker just needs high-level awareness training. They need to know what phishing is and what the red flags are. (Such as) when you get an email that says you need to transfer money or something that’s different than you’ve done before.
    — Dave Hatter

    A company should look at its employees’ jobs and determine how much cybersecurity training they need. Every employee should be made aware of any phishing scams. Employees in departments such as finance or accounting may need more training because they may have access to company accounts. The executive level is another level where additional training is needed since these people tend to be decision-makers. A company’s IT department should receive the most amount of training if they don’t already have it.

    Some training isn’t that technical. 

    It’s a simple case of teaching employees to recognize when an email is a scam. Employees need to be taught to create stronger passwords, which is still an issue after a couple of decades of creating them. Finally, employees need to be sure to update software and stop downloading any app available on their phones. Cybercriminals can use these to gain access to a company’s more sensitive information. It can be an uphill fight because employees typically don’t want to deal with the issue.

    “The average office worker just needs high-level awareness training,” Hatter explained. “They need to know what phishing is and what the red flags are. (Such as) when you get an email that says you need to transfer money or something that’s different than you’ve done before.”

    Hatter thinks training is a win-win for everyone because it not only teaches employees to be safer with work, but it also teaches them to make their homes and devices more secure. 

    Once the initial training is complete, companies need to consider ongoing training for any new security issues that arise. This is critical because scammers are constantly evolving their craft, and the tools to help pull of the scams are more plentiful, more affordable, and faster.

    “It’s never been easier for the bad guys to automate much of this stuff and build spoof web sites that look dead-on to the real thing with the naked eye,” Hatter said.

    New technology has also opened more avenues for scams. There are cloud-based services and home networks that can access business networks. Even a person’s smart refrigerator is now a potential source for starting a cyberattack. Hackers have a search engine they can access that does nothing but look for systems they can exploit.

    “You’ve got all these different attack vectors that are now a real issue that really didn’t exist as little as two or three months ago with the pandemic, certainly four or five years ago,” Hatter said.

    While some cybersecurity-related training is simple, developers and IT professionals most likely need to take continuous deeper dives, including being up to date on cloud development, Java and Object-Oriented Programming. 

    Experts recommend cybersecurity experts to be skilled at Python for interacting with files and dealing with binaries, JavaScript for dissecting web-based exploits and Java, which is the most popular language for secure coding. 

    According to the CyberSecurity Guide, “Java is important for security practitioners because it is so widely used. A variety of industry sources estimate that over 95 percent of enterprise desktops run Java, and of all computers in the U.S., 88 percent run Java.”

    Although companies may not want to spend the money to cover cybersecurity, Hatter said, it’s critical against potential ruin. 

    There are insurance companies that will cover the cost from an attack, but those policies don’t pay out until a company has made every attempt to protect themselves.