Cyber attacks against businesses and other organizations are a growing threat across the United States, but there are actions that can be taken to help mitigate them.
Following Russia’s invasion of Ukraine in March, U.S. officials warned companies to protect themselves from cyber attacks as there was intelligence that showed Russia was considering launching cyber attacks against critical infrastructure targets. The warning followed years of warnings officials have issued regarding the threat from state-sponsored hackers, the Associated Press reported.
But it’s not just an international or national concern, it’s a local one too. Last October, Johnson Memorial Health was crippled by a cyber attack where hackers installed ransomware onto the hospital’s computer network. Hospital officials did not say what data was taken, if any. The FBI assisted in the investigation and hospital officials said it was the work of a known hacker group. After about a month, the hospital set up a new computer network with more resilient protections.
Threat is growing, constantly changing
The cyber threat is not only growing every day, but it is constantly changing, said Justin Kinney, a security analyst with JPtheGeek, a Greenwood-based managed IT services provider. The company has 80 clients and not only provides cybersecurity services but general business technology services to businesses.
“It’s becoming a bigger and bigger threat each day,” Kinney said.
JPtheGeek’s security team has seen a significant increase in cyber threats against their clients both year-to-year and quarter-to-quarter. Between the first and second quarters of this year, they saw a 400% increase in phishing attacks. In the second quarter of this year alone, the team has stopped over 91,000 phishing emails, 1,700 endpoint/network attacks and over 850,000 web/browser threats. Endpoints are an IT term for servers and workstations, company officials said.
“It’s bigger than what I was expecting, but we were able to mitigate all of them,” Kinney said.
The threat of ransomware attacks, or software designed to block access to a computer system until a sum of money is paid, has also gone up. Earlier this year, Verizon, released an incident report saying one of the largest factors of attacks is stolen passwords and computer misconfigurations, Kinney said.
A 2020 Indiana University Kelley School of Business study found that over 95% of more than 300 Indiana organizations were concerned about the risk of a cyber incident. Of the more than 300 organizations surveyed, the vast majority of respondents also said they had taken steps to prevent a cyber incident, the study said.
When it came to a key part of cybersecurity practice — the development and documentation of a cyber incident response plan — only 27% of organizations reported having a documented policy, the study said.
Cybersecurity is a national security matter and cyber risk is business risk, so it’s important for people to understand that, said Herb Stapleton, special agent in charge of the FBI’s Indianapolis field office.
A trend the FBI has noticed when it comes to cyber attacks is that whenever an organization, like a business, government agency or school system, is attacked, they decided that it was better to handle the situation internally and not report it to the FBI or the government in any way, Stapleton said.
“We think that trend is a dangerous one for our national security and for our economic security,” he said.
Small businesses are not immune from cyber threats either. In the past, Kinney has heard small business owners say that because they are so small and don’t have a lot of money, cyber attackers wouldn’t want to target them. However, these businesses still have money, which is what the attackers are going after, he said.
Businesses have options
There are several ways businesses and organizations can protect themselves from cyber threats, but one of the most critical things that businesses should do for cyber security is implementing security awareness training.
Businesses can implement different layers of cybersecurity, but at the end of the day, if a business is not training employees to know what to look for when it comes to a possible cyber threat, then the risk is even higher, said Jesse Pearson, JPtheGeek CEO.
“One click can cause a malware infection and a data breach, so training employees to know what they’re looking for is absolutely critical,” he said.
This type of training is required by most cyber insurance policies and is considered a core practice of cybersecurity. If an organization is not doing it, then they are not able to make a cyber insurance claim, Pearson said.
Another way to avoid cyber risk is to not share passwords. Insider threats are connected to password sharing, and companies often don’t think about this. A disgruntled employee could steal company data using a shared password and sell it for more money than what they are currently making, Kinney said.
Enforcing a strong password policy is also a major way to reduce cyber risk. Organizations should avoid having a password that is 12 characters or less, as computing power has progressed to the point where passwords between 7 to 9 characters can be cracked in seconds if a hacker has the right tools, Kinney said.
JPtheGeek’s standard policy is a minimum of 14 characters for passwords, along with using passphrases. The company tells clients to choose an object, a verb, a color, a number and a symbol for passwords, Pearson said.
Reusing passwords on multiple applications is also frowned upon as people run into the risk of an application being breached and the password being stolen. Once this happens, all of those accounts with that password are vulnerable to being breached, Kinney said.
“Making sure you have one password for each tool, each thing that you use, is crucial to ensuring your safety online,” Kinney said.
Using a password manager, like Dashlane or 1Password, for every site with a password will help with managing all of the different passwords, Pearson said.
Additionally, more security is needed for computers than what a standard antivirus program can provide. There are not only different tools but also different tactics that individuals and groups can use to go around those programs, especially today.
“Those (programs), they will protect against older threats, but newer tools, like manage detection and response, or MDR, endpoint detection and response, or EDR, those are more equipped to face off against the most current threats that we face,” Kinney said.
Pearson says that most of the programs and services his company uses and provides are not necessarily things that a business or organization could just use by themselves. They have to have someone who is able to manage it, and often a majority of the products can only be sold when a company has at least 1,000 workstations, he said.
“There is no one thing, it’s a layered approach. … Our (security model) can be up to 27 different layers depending on the client’s needs and compliance requirements,” Pearson said.
Protection is a group effort
In order to address cyber attacks and to protect each other, Americans have to be united as one team, Stapleton said. While most cyber incidents do not involve a risk to life, it’s important for organizations to report the incidents.
“It’s really important that we work together to protect each other,” he said.
The FBI is just one agency operating in this role, as it is a joint effort between private citizens, business leaders and government leaders on all levels. However, the agency is one of the only federal agencies that can have an experienced cyber investigator at someone’s doorstep within an hour in most parts of the country, Stapleton said.
Cybercrime is also not limited by borders, and the agency has international partnerships that can help victims of cybercrime and find cybercriminals. Stapleton could not think of a major cyber breach in the last 5 to 6 years that did not evolve some type of international element, whether it be the infrastructure used or where the criminals are located, he said.
CYBERSECURITY STEPS FOR COMPANIES
Here are some cybersecurity steps companies can take to help prevent cyber attacks:
- Mandate the use of multi-factor authentication on systems to make it harder for attackers to gain access.
- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats.
- Check with your cybersecurity professionals to make sure that systems are patched and protected against all known vulnerabilities.
- Change passwords across networks so that previously stolen credentials are useless.
- Back up data and ensure there are offline backups.
- Run exercises and drill emergency plans so that companies are prepared to respond quickly to minimize the impact of any attack.
- Encrypt data so it cannot be used if it is stolen.
- Educate employees on common tactics that attackers will use over email or through websites.
- Encourage employees to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.
- Engage proactively with local FBI field offices or CISA regional offices to establish relationships in advance of any cyber incidents.
- Encourage IT and security officials to visit the websites of CISA and the FBI to find technical information and other useful resources.