For any organization thinking about cybersecurity, it’s hard to think about the risks.
In the 2019 Business Record Leaders’ Survey, readers were overall hesitant about business and government preparation in the event of a cyberattack, with about 30% of respondents reporting they perceive Iowans as somewhat prepared. So how would a regional not-for-profit, small to medium business or a large corporation begin to assess the risks? We turned to state cybersecurity experts to explore the unique risks and training needs these organizations face.
- Antoinette Stevens: Detection and response engineer at Cisco Meraki.
- Megan Howard: Director of security services at Pratum.
- Aaron R. Warner: Founder, CEO and lead security strategist at ProCircular
What kind of cyberattacks are not-for-profit organizations most at risk of experiencing? Why would people target these organizations?
Antoinette Stevens: “Without too much thought to highly motivated threat actors (someone is actively trying to attack an individual organization for their own purposes), most smaller NPOs would likely be at risk of two things: data breaches stemming from misconfigurations in their database and websites, and a lack of available resources to find and fix those issues; [and] malware delivered via phishing due to a lack of available training around email security. I don’t think most organizations are specifically targeted; rather they’re caught in a larger net that was cast and ended up getting caught with everyone else.”
Aaron Warner: “Non- and not-for-profit organizations are frequently targeted due to the high transactional volume of credit cards and the presumably low cybersecurity budget.”
Megan Howard: “Not-for-profit organizations are susceptible to many of the same cyberattacks as any other organization or company. Not-for-profit organizations often operate on a tight budget, and cybersecurity is not always a line item within it. Hackers know this and take advantage of the lack of security controls in place.”
What are the most common risky cyber practices you have seen in not-for-profit organizations?
Warner: “Mass-emailing leads to risks both from replies and spoofing. People can look like their potential clients as well as present themselves as the source organizations.”
Howard: “Many not-for-profits do not have proper access controls in place to help limit the exposure to their sensitive data (credit card numbers, email addresses, home addresses or other personally identifiable information). Once a hacker is in, they most likely have access to everything due to the lack of internal segmentation and access controls.”
Stevens: “Third-party plugins used on websites. … A lot of people use third-party plugins on their websites, and if a plugin isn’t secure, it can be used to exfiltrate important user data, deface the website and more.”
What type of training is most effective for volunteers or part-time staff members in not-for-profits?
Warner: “In-person cybersecurity training is the best way to really bring people to the defense of their organization. There is also a need for more frequent reminders, which is where a tool like KnowBe4 can be effective. The combination of the two makes for a strong approach towards educating employees.”
Stevens: “Phishing training. A fairly large amount of malware gets delivered via email. Really good training for how to spot phishing could save a lot of money in the long run.”
Howard: “Unfortunately, fraudulent emails are looking more and more realistic and can be very difficult to detect. Ongoing training and awareness is essential to keep this top of mind. Volunteers or staff members should be trained to always verify. … Most people want to do the right thing, but if they lack awareness and training, their actions could result in undesirable consequences.”
What types of cyberattacks are small-medium businesses at risk for? Why would people target this business?
Stevens: “I don’t think the type of business makes a difference in this case, whether it’s a nonprofit organization or a small-medium business, the major contributing factor is resources. Any organization or business with a limited amount of information technology/security resources will be at a greater risk of a wider range of attack than an organization [or] business with more resources.”
Warner: “Small businesses are frequently targeted due to the high transactional volume of credit cards and the presumably low cybersecurity budget. They’re also an easy place to gather endpoints for a DDOS attack or for lateral movement into their clients.”
Howard: “Small-medium businesses are targeted due to the connection they may have to large enterprises. Many times, large enterprises will use small-medium businesses as vendors. Hackers are using the lack of security controls at a small-medium businesses to get to the larger enterprises.”
What kind of training is most effective for small-medium business staff? Who should lead company training and awareness initiatives?
Stevens: “Phishing, data security, privacy training especially for businesses with customer data — on top of what I said for [not-for-profits].”
Warner: “I’m a big fan of in-person training on a yearly basis. Small companies are used to doing business face-to-face, and they learn best in the same forum. Not the least expensive approach, but it can save the business from being shut down in a breach, which is far more likely for smaller businesses.”
Howard: “Email phishing tests are one way to test a user base on their response to malicious emails. Hackers often find it easier to attack people versus technology, and will use email phishing to get into a company. In-person training can be an effective way of training employees in small-medium-sized businesses. This type of training is more personable and can be tailored to specific risks within the organization. Rewarding employees for following company policy and doing the right thing can also have a lot of value. When an employee reports a security incident, catches a phishing email or requires an [unfamiliar person] to badge-in [to secure locations], rewarding this behavior can make the employee feel valued and encourage the helpful behavior again.”
What are the most common risky cyber practices you see for businesses of this size?
Stevens: “Poor general security practices resulting from a lack of knowledge and resources; i.e., poor data security, lack of data backups, lack of network protections, etc.”
Howard: “Many small-medium businesses do not have Incident Response or Business Continuity/Disaster Recovery plans in place to appropriately respond to a security event. The lack of planning leaves an organization unable to respond in a timely and effective manner, which could greatly increase the impact on the business — even forcing some businesses to close their doors. Many small-medium-sized businesses do not have adequate backups of their data. Without backups, businesses may be unable to recover from an attack such as ransomware. If ransomware hits and dependable backups aren’t in place, a business may find themselves in a really bad spot and their only choice may be to pay the ransom to a ‘trustworthy’ hacker.”
I don’t think most organizations are specifically targeted; rather they’re caught in a larger net that was cast and ended up getting caught with everyone else.Antoinette Stevens
What types of cyber attacks are large businesses/corporations at risk for? Why would people target this business?
Stevens: “Now we’re likely dealing with groups that have resources. … For large businesses/corporations with large public profiles, we begin to get into the space of nation-state attacks, highly motivated malicious actors and hacktivists. These types of corporations tend to attract attention because they’re highly visible and there’s almost always guaranteed to be something valuable if the hack is successful.”
Warner: “Depending on the industry, large organizations with little tolerance for downtime are increasingly targeted. It’s easy to charge a $300K ransom for a company that burns $100K per hour in downtime.”
Howard: “Large businesses/corporations have hackers knocking at their door 24/7 with many different methods. [They] may be targeted due to the amount or type of data they have. They could be housing thousands of sensitive records of their customers and employers or other confidential information, such as intellectual property, trade secrets, etc. Large businesses/corporations may also be targeted with the goal of tarnishing brand reputation.”
What should businesses consider when building an in-house cybersecurity team or contracting a vendor?
Stevens: “I think anyone building an in-house cybersecurity program should have a clear vision and goal for what they expect from that team. If a business is just hiring a cybersecurity team to say that they have one, they might not end up with the skill sets required to secure the business. One really has to understand the security risks the business has and know which sets of skills are required to mitigate or reduce risk. Contracting is very much a similar situation, but with the added risk of entrusting your risk to a third party. … The business should be asking in-depth questions of the vendor to assess merit and trustworthiness.”
Warner: “Find a lead that is both skilled in cybersecurity and adept at working with a variety of vendors with deep skills in their respective subject matter areas.”
Howard: “There is currently a huge shortage in qualified cybersecurity professionals. Because of this, qualified individuals can demand high salaries and it may be very difficult to find the individual in the location you want. Being open to remote individuals will help open up the candidate pool. Contracting with a third-party vendor to fulfill the company’s security needs can have a lot of benefits. The cost is usually lower, and the value you get can be higher. … Ensure the vendor specializes in cybersecurity and understand your business. Companies should request referrals and the qualifications of the employees they’ll be working with.”
What are the most common risky cyber practices you see in businesses of this size? What training is most effective for the workforce?
Stevens: “I think larger corporations tend to make the same mistakes as businesses of any other size. They are no less likely to slip up and have exposed data on the internet than any other company or organization of any other size. … The big concern here is about maturing the security program as the company grows. Once a company reaches a certain level of public notoriety, their security program should mature because the threats are going to be more mature.”
Warner: “Focusing on one domain over the other two — tech versus people versus compliance. Being excellent at one doesn’t preclude you from responsibilities in the others, and that’s how they’ll get you.”
Howard: “Many large businesses will spend a lot of money on technology in hopes that putting a tool in place will solve their problem. These tools are often not configured or managed properly and provide the company with a false sense of security. … All companies, no matter the size, should be providing training on identifying phishing emails. Many companies are required to provide security training at least annually, but once a year is not enough. Continual security awareness and training helps keep security at the top of minds of all employees.”
- DDoS Attack: Distributed denial-of-service attack. A malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or surrounding infrastructure with a flood of internet traffic (Cloudflare).
- Phishing: Targets are contacted by email, phone or text message by someone posing as a trusted institution to retrieve personally identifiable information (PII), such as banking details or passwords (Phishing.org).
- Executive impersonation: A method of business email compromise (BEC), also known as “CEO fraud,” often a fake email purportedly from a high-ranking executive or a key familiar vendor. Often marked as “urgent,” the contact requests that the recipient access the company bank account and wire company funds (Maillie.com).
- Malware: Malicious software; can describe any malicious program or code that is harmful to systems. Seeks to invade, damage or disable computers, networks and devices, often by taking partial control over a device’s operations (Malwarebytes.com).
- Hacktivist: Someone who uses hacking to bring about political and social change. May work alone or in a decentralized network, and may steal money or data, deface websites or launch other attacks (US Cybersecurity Magazine).
- Ransomware: A form of malicious software that locks and encrypts a target’s computer or device data, then demands a ransom to restore access (NortonLifeLock).