Any responsible business owner will take multiple measures to prevent a cyber attack. Staying on top of updates, using multifactor authentication, training staff on how to identify phishing attempts and other threats, and partnering with a reputable cybersecurity firm are all necessary steps these days. But as any security expert will tell you, breaches aren’t an “if,” they’re a “when.” The key is to identify incidents quickly and to respond appropriately when they happen.
“Nowadays the expectation is everybody will have a compromise of some kind. The goal is to minimize the risk and the liability when you do,” says Kyle Schuping, technical director at Kelly Office Solutions, the 78-year-old dealer organization based in Winston-Salem, North Carolina. “Make sure that you are not the lowest hanging fruit, so you’re a less appealing target to threat actors.”
Jim Peterson, principal solutions advisor for managed IT partner ConnectWise, is a cybersecurity expert who has seen what happens when protective measures fail. The good news is, modern hackers typically don’t keep it a secret that they’ve broken in. There’s usually one of three ways a business finds out they’ve been hacked.
“The first way is they can’t access their own information,” says Peterson, referring to scenarios where passwords have been changed or data has been wiped. “We call that a typical ransom. Then there’s the extortion side. That’s where they’ve gathered the data and they’re trying to get you to pay them not to release it.” A third possibility is hackers may use data they’ve stolen to impersonate stakeholders at a company. “They may hear from their vendors and clients that someone is impersonating them on the inside, basically trying to commit financial fraud, acting like the controller, changing bank accounts, and things like that.”
One of the worst-case scenarios is that a cybersecurity breach isn’t detected before it affects other people in your business’s contact list. Hackers may compromise email servers or other communication tools and send out malicious messages in the guise of your own account, spreading the infection further. In recent years this process has become even more dangerous thanks to AI-powered malware.
“That’s what most of the AI engines do,” Schuping says. “They go through, they scrape as much data as they can, and they try to send it out to as many people as they can, hoping that more people will fall for it.”
Peterson adds: “With the availability of all the large datasets out there on the dark web, they’re using AI to try and guess what passwords are. If you change your password from ‘password1’ to ‘password2,’ the AI is going to figure that out,” said Peterson. “It’s not just the guy who’s sitting there trying to type it three or four times.”
Hackers don’t even have to be the ones coding these kinds of tools these days and, in fact, they usually aren’t. They buy off-the-shelf SaaS products from the dark web, simply paying the software provider a portion of their spoils. “There are hacker companies out there now that run software as a service the same way that you buy Office 365,” notes Peterson. “They sell ransomware and malware on a monthly subscription. So the individual threat actor who’s going after a company doesn’t have to know how to program anymore. They just have to be good at trying to trick people into going to the right website.”
Lack of Cybersecurity Makes It Easy for ‘Black Hats’
The ultimate goal for all of this is a payday, whether that’s by infiltrating financial institutions to move funds, ransom, or blackmail. Frequent backups to a protected external server—one insulated from an encryption attack—can neutralize the threat of ransom. And, multifactor authentication is a good deterrent for attempts to access financial accounts. However, the only way to prevent blackmail is to prevent threat actors from gaining access to that data in the first place.
While hacking is always a risk, it helps to remember that hackers are looking for an easy payday. The more robust your cybersecurity is, the less appealing you are as a target.
“It’s everything from email training, phishing training, teaching end users how to be security-conscious,” Schuping explains. “Very rarely anymore do we find that threat actors are the guy in the hoodie who’s sitting there typing as fast as he can and trying to break into the firewall like you see in the movies.”
These days cybersecurity breaches are far more likely to happen through authorized users. People using compromised passwords, falling for phishing attempts, or opening an unvetted attachment that installs a keylogger onto their system are often the hacker’s way in. That’s why multifactor authentication is so important, so that even someone with system credentials has to pass at least one more level of authentication before gaining access to sensitive information.
Another way to minimize risk is by maintaining a regular cybersecurity update schedule at an appropriate cadence for your tech stack and exposure to risk. “We want to, at a minimum, test the environment quarterly,” advises Peterson. “You can do more, you can do less, but most businesses are going to be most successful with at least a quarterly test of the system.”
It’s natural to want to respond quickly to a hacking incident, but both security professionals we talked to emphasized the importance of not panicking and not making rash decisions. Work with your IT department or an outside cybersecurity consultant to develop an Incident Response Plan, a clear set of steps for what to do if the worst happens.
“It’s going to say things like do call your IT department, don’t reboot computers, don’t do a restore. It’s going to give you that clear set of steps. Most MSPs that understand your industry are going to be able to write a good Incident Response Plan for you,” says Peterson. It’s good to disconnect the affected hardware from the internet if possible, but anything that could wipe data, including a simple reboot, is potentially destroying forensic evidence that’s vital for law enforcement, insurance, and the IT recovery team.
“I can give you a list of a hundred things not to do,” laughs Schuping. “It varies based on what type of compromise it is, but you’re going to need to determine whether this is something that can be handled quickly and locally with something as simple as a password reset or whether there was actual data exfiltration. At that point you need to take a look at your cyber insurance policy.”
Cyber insurance is a growing sector of the insurance industry, covering the costs of data recovery, credit monitoring, hardware replacement and more. Not all businesses recover from a cyber attack, but good insurance can drastically increase the odds of survival. But, in order to be eligible for that kind of coverage, a business will have to meet requirements about security standards, Incident Response planning, prompt software updates, and user training. It’s the same things any reputable MSP would advise a client to do, but it does require a shift in thinking.
“Gone are the days where you could just call someone occasionally to fix your problems,” concludes Schuping of Kelly Office Solutions. “You really truly need to have a management plan for making sure that your security is up to date and monitored. The days of having your nephew come over and install the latest software once a year and being protected are gone.”