3: The real cybersecurity risks
This is part of a series discussing cybersecurity basics for an SME.
Click here to go to the start of the series.
Criminals, email and your staff
As I discussed in the previous section, your primary concern should be criminals seeking financial gain using email to fool your staff.
Criminals > email > staff member > [actions] > money
There are three common attacks.
1: Payment fraud
The easiest way for a criminal to get your money is to ask you for it.
- The criminal sends a phishing email to a staff member.
The phishing email is designed to fool the staff member into thinking it has come from someone that works with, or works for, the firm. For example, a senior executive or a supplier.
The email* will ask the staff member to make a payment or to change the bank details set up for a supplier.
* Keep in mind the first email may not immediately state the action that the criminal wants the staff member to perform. It may only be revealed when the staff member and the criminal have exchanged a few emails.
- The staff member is fooled by the email and transfers money into a bank account that the criminal controls.
This type of attack has many names – e.g. Payment redirection, payment fraud, invoice redirection.
The term ‘Business email compromise’ may also be used when the fraud is facilitated by the criminal gaining access to a staff member’s email account. We will talk a bit more about that later.
Key takeaway: Criminal -> Email -> Staff member -> Payment
This type of attack gets a lot of headlines, and it is a very profitable method for criminals.
First, I need to provide some definitions:
- Malware is malicious software
- Ransomware is a type of malware that is designed to make your files inaccessible to you until you pay a ransom.
- Encryption is used in a ransomware attack to make your files inaccessible to you. Think of encryption as a locked safe and you don’t have the key.
A ransomware attack usually goes as follows:
- The criminal sends a phishing email to a staff member.
Just like payment fraud, the email is designed to fool a staff member. For this type of attack, it is trying to get the staff member to click a link or open an attachment.
- The staff member clicks the link or open the attachment.
- The link or attachment cause malware to download to their laptop / device.
- If the malware is ransomware, it will attempt to encrypt all files accessible from that device.
This includes any files or file locations that can be accessed from this device – e.g. file shares, Dropbox / OneDrive / Google drives. Any locations that the laptop and current logged-in user could access, especially if they are accessible from Windows File Explorer.
To avoid detection, the ransomware may not run immediately. It may delay activation and perform its work very slowly.
- When the encryption is complete, the staff member will be informed.
The ransomware will display a message telling the staff member that they need to pay the criminal if they want to regain access to their files.
- The firm will pay the criminal
Assuming the firm has no ‘Plan B’ (which we will cover later), it will have no choice but to pay the criminal.
The payment will usually be made using cryptocurrency – e.g. BitCoin – so it is difficult for the criminal to be caught.
- When payment is received, the password(s) to unlock the files will be provided to the firm.
It is in the criminal’s best interests to ensure you regain access to your files. It would be bad for business if word got out that payment of the ransom does not reverse the encryption.
They may even offer online or telephone support to help you!
Key takeaway: Criminal -> Email -> Staff member -> Ransomware -> Payment
You may notice that in my diagram above, there are two grey elements included. This is to indicate:
- These attacks do not always rely on email – The criminals may use the backdoor access that your firm’s IT people have, or go via a backdoor provided by your firm’s remote access solution.
- These attacks may do more than encrypt your files. They may also take a copy of the data and threaten to release it publicly if you don’t pay.
These are conversations for another day. The statistics suggest they are not elements in the majority of attacks right now.
3: Password theft
Route 3 takes a little bit more effort for the criminal to get a pay off, but it can be very valuable. It can also be a very expensive incident for a firm, due to the investigation and cleanup costs.
This type of attack usually goes as follows:
- Once again, the criminal targets a staff member through a phishing email.
This time, the email is trying to get the staff member to visit a website.
It may be an alert that suggests their password has expired or needs to be reset due to unusual activity, or a document has been shared with them, etc.
- The staff member will click on a link to get to a website.
The website will look legitimate. It may even have the company’s logo on it.
- The website will eventually present them with a page asking them to enter their password.
To complete the requested activity, the site will ask them to confirm their identity by entering in their password. The staff member will comply and type in their password.
The site may then display an unexpected error or just show them a generic ‘Thank You’ page. The staff member may be disappointed but they won’t be suspicious.
- The criminal behind the website will use this password to log into the staff member’s account.
From here, the criminal can now impersonate the staff member within the compromised system and do whatever the staff member could do in here – e.g. access the data in this system; request or approve a payment; communicate with a colleague or a client.
The criminal will find a way to monetise this access.
Key takeaway: One password could be the only thing between a criminal and your valuables. And one staff member could be the only thing between a criminal and that password.
What could the criminal do with a password
If a criminal has a staff member’s password and if a password is the only thing required to gain access to a system, the criminal could gain access a lot of information about your firm. This information could be valuable. For example:
- If they want an immediate payoff, they could take a copy of the data and threaten to release it to the world if you don’t pay them.
- If they are playing a long game, hey could use the information to make their next attack (against you or your clients) more targeted and sophisticated.
If the password allows access to an email account:
- They could impersonate the staff member. They could then trick other staff members, suppliers and clients. If the person they are impersonating is a senior member of staff, imagine the power that gives them to divert payments to their account.
- They could build up a very detailed knowledge of who’s who (in the firm; in your clients and suppliers and business partners), who is weak and who is a valuable target.
- They could use it as a stepping stone to attack a valuable client.
If the password allows access to more than one system? Double / triple trouble.
- Yes, yes, we know that passwords should not be reused across systems. But it is sooo convenient to have one password.
Data protection problem
If the system(s) they can access contain lots of personal data, you are now in a very serious situation.
Once they log in to the system, regardless of what they then do, you have a personal data breach. The breach needs to be reported to your data protection regulator (the Data Protection Commission in Ireland) within 72 hours of becoming aware of it.
Gathering answers to a regulator’s detailed questions about the nature of the attack and the scale of data exposed is very expensive and very time consuming.
At a seminar in April 2020, a very experienced Irish legal firm told the audience that it cost €400k in professional services fees alone when one email account in one firm was accessed. The account belonged to the director of a firm with less than 100 employees, but which contained 7 years of emails.
This cost excludes the internal staff cost or the management attention that is required (when everyone still has their real job to do).
What if I told you that you needed the CEO to dedicate 2 hours per day for the next two months to discuss this breach, to answer DPC questionnaires, to authorize payments for ongoing legal and cybersecurity advisers?
What if I told you that your firm of 50 people also needed to assign 1 senior manager and 1-2 other staff members on a full time basis for two months to work on this?
You can see how the impact to the firm is pretty painful:
- External spend to assess the damage and perform the cleanup.
- Internal staff cost and management attention diverted from ‘real’ work.
- Reputational damage if the criminal uses their access to attack a client.
Key takeaway: If a criminal gains access to one of your systems, the money you pay to get them out is not the only cost to worry about.
There are three main ways that a criminal will get your firm’s money:
- Payment fraud
- Password theft
In the next section, I will discuss the simple steps you can take to make the criminal’s job much harder.