Protect Your Business from Cyberattacks: Cybersecurity Best Practices
An interview with Chris Bowman
In today’s digitally connected world, every company (large and small) is a reachable target for a cyberattack and at risk for a data breach. Cybercrime is growing. Data breaches have skyrocketed in 2023. According to an analysis by Identity Theft Resource Center, in the first half of 2023, data breaches increased by 152.5% – from 62 million to 156.6 million. In the last 12 months, 70% of small businesses in the U.S. were victims of a data or cybersecurity breach.
The financial impact of cybercrime, according to research done by Cybersecurity Ventures, is expected to reach $8 trillion in 2023 and $10.5 trillion by 2025. More and more cyber breaches are making headlines with MGM Resorts reporting an estimated $100M loss from cyberattacks, 23andMe having a data breach that affected 999,999 people, and Equifax being fined 11 million pounds ($13.4 dollars) from the Financial Conduct Authority (FCA), Britain’s financial regulator.
Cybercrime imposes substantial burdens on organizations, encompassing time, financial resources, the theft of intellectual property, and higher insurance premium rates, to name a few. To get some insights into the best ways to protect your business from cyberattacks, we spoke to Vertilocity cybersecurity expert Chris Bowman.
Q: With the reported cyberattacks on MGM, Caesars, and 23andMe, what key vulnerabilities or weaknesses in their cybersecurity were exposed?
The obvious one, and the one that’s getting a lot of media attention, is how do you authenticate users who are calling into the help desk? The MGM attack started off as a fraudulent call to their Service Desk. “Scattered Spider,” the cybercriminal group, looked up employee information on social media and called MGM’s help desk to “phish” for their login credentials.
There have always been security questions that, in the past, you were the only one who knew the answer to it. Questions like, where was the first place that you lived? What school did you go to? What was the model of your first car? Today, that information is all over the internet. Cybercriminals can go to Facebook or LinkedIn and get the answers to these questions. They’re straight phishing for information that they can use to impersonate key employees in an organization. And, it’s frightening. MGM is expected to take a $100 million hit from a breach that was carried out through a little research on social media and a phone call to reset a password. While there certainly are no invincible solutions, there are tools that could have prevented something like this.
Multi-factor authentication, or MFA, is a big solution. As I don’t know all of the details of the breach, I can only speculate that MFA was not part of MGM’s cybersecurity protocol. MFA requires additional steps to authenticate who you are. Instead of just resetting a password from answering a set of questions, MGM’s help desk could have asked the questions and then had their help desk technician send a push notification to an app on the verified user’s phone or email. Only after the verification request was accepted could the help desk technician proceed to change the password.
While MFA is certainly not foolproof, it adds a significant layer of additional protection.
Q: What do organizations need to be aware of when it comes to multi-factor authentication (MFA)?
Cybercriminal groups can come up with sophisticated ways to intercept your MFA. So, Microsoft, Duo, and other vendors are coming up with ways to prevent the interception. It’s important to stay up-to-date on the latest interception tools.
One of the things that we’re seeing a lot of is MFA fatigue. This is where a user will just hit accept on the push notification because they hit accept every time. It doesn’t even occur to them that they’re not actually logging into anything at that moment. This can happen to anyone. I’ve seen very sophisticated users get worn down by MFA fatigue. One of the ways to avoid MFA fatigue is getting a number code as a push notification and then having to punch in those numbers into the app on your mobile device to finish the authentication. This helps prevent accidentally accepting a push notification.
Q: What lessons can other organizations learn from these cyberattacks and what proactive measures should they consider to prevent similar attacks?
For any remote access to systems, multi-factor authentication should be required. A huge percentage of all hacking attempts would be foiled if multi-factor authentication was included. I read that, according to Microsoft, implementing MFA can make you 99% less likely to get hacked.
The other proactive measure to take is role-based access controls. Making sure that when you set up a user on your system they are limited to what they can access based on what they do for your company.
It’s also important to have some policy for verifying a user to ensure they are who they say they are. At the very beginning of my career, there were four helpdesk techs. We knew all of our clients and could easily verify someone’s identity. That’s not the case today. In an organization worth $33 billion and has thousands of employees, there must be a policy and a procedure in place. Vertilocity is much larger than when I first started (back when it was called Vertical Solutions). Today, there’s no way I could know everybody that we work with and positively identify them. When a person calls into a help desk and doesn’t know their password or can’t get into their account, there should be a multi-factor authentication verification policy in place. This decision has to be made at the executive level. It can’t be up to the help desk person. When they’re dealing with someone who’s upset, they want to help. They’re going to do what they can to get the user access to their system. They need a policy to follow.
IT security people often get called the preventers of information services. While it may be frustrating to have additional security steps, we are now in a cat-and-mouse game with cybercriminals. Identity is everything. If I’m going to give you access to this user’s identity, I have to be sure of who you are.
Q: How often would you recommend a company review its cybersecurity policies?
At the minimum, it should be an annual exercise. You need to see what were the big hacking issues in the market and what solutions are available to prevent them. Right now, phishing is the big one. That’s what I see more than any other type of hacking including ransomware.
Cybercriminals are trying to get access to other people’s mailboxes. They start reading what’s going on in your mailbox. They learn who you are and how you communicate. They wait for opportunities to extort money. We often see someone in billing is targeted. Cybercriminals will take over that billing person’s account and start sending their clients emails saying they need to update their ACH payments to this new account that we opened. We’ll see someone pay a legitimate invoice and send $30, 000 to an account that nobody in the organization actually knows about. That’s a huge phishing scam right now. And, it’s a hard one to tackle because it only requires getting access to one user’s mailbox, sitting there, and learning how they do it.
In reality, how often to do a review depends on the client’s needs and the sophistication of the client. For my clients, it could be an annual, semi-annual, or quarterly business review. I’ll take them through the things that we’re seeing in cybersecurity, and what we’re seeing on their network, and present suggestions of ways to adapt as well as any recommendations. Some clients will even want to do a tabletop discussion of a potential scenario and how they would respond to it. That’s a really good exercise and showcases the sophistication needed to consider all the implications.
MGM and Caesars outsourced their IT. To find out how you can ensure that you are being protected by your IT provider as well as additional information on how to protect yourself and your company, read the full interview with cybersecurity expert Chris Bowman in this white paper.
For essential cybersecurity tips to help your organization safeguard itself from cyber threats download Vertilocity’s Cybersecurity Best Practices Checklist.