This year will continue to focus on the fast-growing threat of cyberattacks and the scale of damage they can do. The pandemic and continuation of remote working, along with greater reliance on mobile devices, have created additional opportunities for cybercriminals to exploit. Cybersecurity breaches grew by 11% in 2019, and the average cost of a breach to an organization was $13 million. While investment in cybersecurity technology has increased, so has the sophistication of attacks.
To safeguard their business, companies need to prepare their networks, processes, and employees to identify and recover from cyber threats more aggressively than ever before. The following are some attack scenarios and cybersecurity best practices, which together can help businesses build a strong and holistic defense against cyber criminals.
Business email compromise (BEC) relies on exploiting people’s impulsive actions and willingness to trust. To avoid a BEC breach, organizations need to ensure that employees are familiar with the company’s cybersecurity protocols and how to handle suspicious emails, including not opening links from an unknown sender’s email, carefully examining sender addresses, and quickly escalating the situation should they think they’ve been targeted.
Companies should also invest in training to help employees ward off social engineering attacks, which use social media, personal profiles, and websites to scam unsuspecting individuals out of money or sensitive data. Best practices include keeping any personal information off social or digital channels, regularly reviewing privacy settings, and verifying any requests for payment or personal information—even if it seems to come from someone you know. More in-depth training should be provided for employees most likely to be targeted, like CEOs, CFOs, finance departments, human resources, and payroll staff.’
Wi-Fi is available nearly everywhere, and it’s tempting to connect to free Wi-Fi for faster data speeds, particularly in areas with low cellular coverage. However, using public or unsecured Wi-Fi can expose private information to cyber criminals who employ malware or watch individuals’ keystrokes to uncover PINs and passwords. Once these criminals have access to sensitive information, they can access confidential personal and business information or perpetrate identity theft.
Employees can protect themselves and company information by minimizing the amount of personal and sensitive data stored on devices and by using a virtual private network (VPN) connection when possible. Companies should strongly discourage employees from using public Wi-Fi networks and disable remote and automatic connections to Wi-Fi or Bluetooth networks—for example, using Bluetooth in “hidden” mode, rather than “discoverable” mode.
Wireless networks and connected devices are turning homes into digital hubs. As the coronavirus outbreak continues to restrict travel and make remote work necessary, more employees connect work devices to less secure home networks. These networks are more vulnerable to compromise, enabling cyber criminals to access both your personal and work data.
To minimize risks, employees should change the default network name and administrative password on their routers and opt for names that don’t easily identify the employee or the company. Organizations should also encourage employees to use the strictest security settings and encryption on their router. It’s also critical that IT leaders keep antivirus and firewall software up to date and recommend that employees turn off routers if they are away from home for an extended period.
Mobile devices are especially vulnerable to an attack because they are used in thousands of places. They make attractive targets to cyber criminals because one phone, tablet, or wearable device could help them access an employee’s financial, social, and email accounts.
Companies should instruct employees to lock mobile devices with a strong password of at least eight characters and use multifactor authentication if the device supports it. Anti-theft software can also locate mobile devices remotely if they are lost or stolen. Employees should only download apps from official app stores and alert IT immediately if they receive an unknown password reset alert.
Passwords are keys to the kingdom, so everyone should use strong, unique passwords for each of their accounts. A password manager program can help track passwords and eliminate the need to write them down or continuously reset forgotten passwords.
Businesses should also enforce access to company resources with multifactor authentication whenever possible. Sites with multifactor authentication distribute security codes to an individual’s mobile phone so that they can complete a log-in or use biometric information to verify their identity. Organizations can also use productivity software that has built-in multifactor authentication to protect company information.
Enterprise connections to third-party suppliers are critical targets for cyber criminals. Cyber criminals continue to leverage companies’ supply chains, including their technology platforms, for opportunities to compromise these organizations. Utilizing common threat methods such as BEC, these criminals search for gaps within these supply chains to gain a foothold into their target’s operating processes.
Companies can minimize these risks by establishing strict contracts requiring third parties to maintain tight security policies and developing key contact procedures to safeguard against criminals interfering with business processes. Effective third-party management should also extend to a company’s technology platforms. Once in place, these policies require continuous compliance monitoring and reporting, either through remote audits or automated, real-time inspections.
By understanding that organizations of every size and in every industry are vulnerable to attack, companies can mitigate the risks of a cyber threat. Awareness and comprehensive preparation are critical to an effective cybersecurity response. While risks evolve, socialization, and education of cybersecurity basics, both internally and with contracted third parties, can provide a strong defense layer.
Raul Anaya is president of business banking at Bank of America and a member of its executive management team.
© 2021 Bank of America Corporation