Cyber Threats Reach A Whole New Level, Experts Say

Sarasota, FL (WorkersCompensation.com) – Here’s a sobering thought: just about anyone who wants to can access an organization’s computer system these days. Those without the specific know-how can easily find rent-a-hacker services online. That means it no longer requires special skills to wreak havoc on a company.

Getting hacked can destroy companies; not only through reputational risk and potential liability, but also from the stiff penalties that can be imposed from a variety of state, national and international standards. Experts say cyber security is an issue every organization should understand and take all possible measures to prevent.

What Hackers Want

“The easiest way to get money out of a company at the moment is running impersonation frauds,” said  Bernard Regan, director of Baker Tilly, a London-based accounting and advisory firm. “The accounts payable [department] receives an email saying ‘hey, can you send an invoice to this other account this month because we’re going through an audit, and we don’t need [the money] to be coming through this regular account which we’re being audited on.’” The organization typically doesn’t realize it’s been swindled until the real vendor calls looking for payment.

During a recent webinar on cybersecurity produced by The CLM, Regan and other panelists said that while money is often the reason organizations get hacked, it is not the only one. Hackers may also seek: 

• Data that has black market value
• Trade secrets
• Strategic information
• Whistleblower information
• Public exposure or to create business interruption
• Retribution/harm

Many organizations don’t even realize they have information in their systems that makes them vulnerable to attacks. For example, even the smallest company that’s had just one workers’ compensation claim has medical information that can be valuable to an outside party.

Medical is one of the three types of data that organizations should protect. Private information about employees and/or customers, such as Social Security numbers and drivers’ license information is another. Biometric is yet another growing source of personal information and is available, for example, to companies that use thumb-scanners to clock employees in and out of work.

Penalties

Companies that have no idea they have such information and are hacked can be charged with violating a myriad of standards, all of which carry various consequences. “The law is really in flux right now,” said Todd M. Rowe, a partner in the law firm Tressler, LLP. “We refer to it as a patchwork of standards.”

He noted, for example that Illinois imposes a $1,000 penalty per incident for compromising biometric information. The law, which has been on the books for a surprising 10 years, applies if a company fails to provide proper notification to the person saying their biometric data is being used. In a recent decision, the Illinois Supreme Court said a person qualifies as ‘aggrieved’ and can seek damages without having to allege an actual injury or adverse effect. The case involved the use of fingerprint scanning for repeat-entry passes to an amusement park.

In addition to state laws, there are national regulations and international standards. A Midwest company with no employees or customers in a European Union country can, nevertheless, be accused of violating the General Data Protection Regulation if it has even a presence in the area via its website.

Types of Hacking

In addition to extorting money from a company through impersonation fraud, ransomware has become one of the most common types of hacks. Perpetrators threaten to block access to or publish data unless a ransom is paid.

“It’s very easy to deploy, you get great returns on investment, and, if somebody pays, it’s money for free, effectively,” Regan said. “We’re also seeing an increase in the amount of ransom being asked for, up to $3, $4, or $5 million.”

A new variety of malware on the market is making ransomware even more concerning. “It’s getting very complex and very nasty because there’s double encryption,” Regan said. The first hacker attacks a company and encrypts its data until a ransom is paid. Then a second hacker, working with the first, further encrypts the information. “So not only are you paying a ransom to unencrypt the data, once you do that, if it works, you then get more encrypted data, so you might have to pay a second ransom.”

Companies that allow their employees to use social media programs such Facebook may want to alert and educate them on the dangers of phishing scams. These often show up as innocent, fun games where the user is asked for some ‘innocent’ personal information.

“If you respond to this, your picture is in the response along with your full name and you’ve just given them the month and day of your birth and the last digit of your birth year,” said Jennifer Newell, SIU Manager at FedNet Insurance. “A savvy person can take a look at the photo and can narrow down your [full] birth year.”

Other seemingly innocuous games might ask the name of the person’s first pet and when they got it. That type of information can be invaluable to a hacker. “Someone with that information could answer your security question for [the password to] your bank account, for example,” Newell said.

The IoT, or Internet of Things, is yet another way a hacker can easily get into an organization’s protected information. Companies may make themselves vulnerable to hacking without realizing it.

“For instance, the Ring doorbell, people are using that in corporate environs now and they’re attaching that to the corporate network. Somebody can attack and get into the network,” Regan said. ”We’re seeing a lot of the IoT in the manufacturing space where people are using tablets, [and other] devices to monitor the temperature or the throughput of production. All of those things are internet-enabled and all of those things are susceptible to attack if they haven’t been secured properly.”

Protecting The Data

Companies need to be proactive, invest in new technologies and understand and think about what they are trying to protect, the experts advised. That may mean putting privacy concerns ahead of efforts to please employees.

“Sometimes they want to make workers happy [and allow them] to work from home or use their own devices,” Regan said. “But often that’s how hackers will exploit vulnerability. You need to make sure your security is up to date.”

Regan suggests organizations think carefully before implementing anything that taps into the corporate network. His advice is if you don’t absolutely need something and/or you can’t ensure it is secure, don’t use it.

Having solid backup solutions is also imperative for many organizations. “If a ransomware  attack hits and you don’t have a backup then you’re effectively starting from day zero and having to build your whole infrastructure again and doing a data restoration with that as well,” Regan said.

In addition to using the latest technology to protect information, companies need to go further. “While the technology guys are great and firewalls are important, that’s just the price of admission in this environment,” Rowe said. “The next step is to make sure you have employees, boots on the ground, who can see the red flags and be ready to go; whether it’s the technology folks or the receptionist looking at emails coming in. To have the training component is really going to give you that extra layer of protection. And it’s cost effective.”

Employees can be trained to spot and report suspicious emails, for example. Grammar mistakes, or an email format that is slightly different from what a vendor normally uses, with different footers and/or headers, are indicators the message is not authentic. A business email sent from a Gmail account is another red flag. Also, the replies must be sent to the exact same email address.

Conducting mock tests with employees during and following training can be invaluable.

Employees should also understand the importance of reporting any suspicious activity immediately.

“Don’t feel embarrassed; It happens to so many people,” Regan said. “Don’t try and hide it, own up to it and say ‘I think something’s gone wrong,.’ The quicker you respond the better chance of getting the money back.”

Share This Article: