Protecting Your Business from Cyber Threats: What You Should Know

If there’s one thing we haven’t needed this year, it’s something else to worry about.

Unfortunately, thanks to opportunistic hackers looking to take advantage of the COVID-19 pandemic and the business response, that’s exactly what we got.

According to a June 23 Security Week article, email scams and phishing attacks increased by a staggering 436 percent between the second and third weeks of March, as the nation struggled to come to grips with the effects of the pandemic. Many of these attacks were designed to prey on individual fears and anxieties: Phony websites purporting to sell face masks, work-from-home job offers attempting to steal personal information from recently laid-off employees, and malicious file attachments attempting to steal passwords and other credentials.

However, while the business community wasn’t targeted quite as extensively as individual citizens, there was a significant uptick in business attacks, based in large part on new openings created by COVID-19 and the response from both government and business.

In August, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory to warn of a voice phishing or “vishing” campaign designed to take advantage of the increased number of employees working from home and using corporate virtual private networks (VPNs) to access sensitive information. Even companies that weren’t necessarily relying on telecommuting were targeted by COVID-related attacks; the publicly available record of businesses receiving loans via the Paycheck Protection Program made for an attractive “hunting ground” for hackers looking to prey on small businesses.

Being Extra Careful During COVID

What that means for businesses right now is that they’ve needed to be extra careful in making sure that the people they’re communicating with are actually their customers, and not hackers pulling the strings behind the scenes. Since the onset of the COVID pandemic, businesses have had multiple instances of customers whose email accounts have been spoofed or compromised. It appears that they’re  communicating with their customer, but in reality,  they’re not because of a rule created by the hacker that automatically sends emails from  the compromised business to deleted items, where the hacker can then respond to the bank before deleting the email exchange entirely, with the actual customer none the wiser.

Fortunately for our customers, FCB employees are trained to know how to recognize suspicious transaction requests as potential fraud attempts, allowing us to stop the fraud attempt before money ever changes hands. However, it’s better still to cut off fraud attempts at the source, by employing best practices in cybersecurity, and that starts with policies, procedures, and training.

No Business Is Too Small for Security Best Practices

For many businesses, particularly small ones, there can be a resistance to training, especially when it comes in the form of an expensive program, and when a lot of the keys to cybersecurity—not downloading strange files or clicking strange links, for example—seem like common sense. But if you have just a few office employees or are a mom-and-pop oil and gas company, farmer, or rancher, you may not be prepared with enterprise-wide training to help employees recognize fraud attempts and cybersecurity threats, particularly when they’re tied into real events (as in the case of the PPP loan recipient disclosure).

What’s a small business to do?

In cases like these, using a layered approach to cyber security software—and more specifically, up-to-date application software—is even more essential. Hacking attempts using backdoors and command and control functionality (C2) almost always exploit unpatched software. The takeaway? Patch, patch, patch your software. These measures may seem expensive, but when you consider what it can cost your business (and potentially your customers) of a data breach, the software patch seems positively cheap by comparison.

The Bottom Line: Stay Vigilant

I’m proud of the way our training and software programs have worked at FCB. We were able to respond to the increased need to work remotely by scaling up our existing infrastructure but still in a secure way, protecting our customers information. The way our people worked was already very secure, and it was just a matter of expanding to accommodate more remote workers. We phish every FCB employee once a month, and the result has been an extremely low phishing rate that I’m very proud of. I want our employees to be able to identify threats to the bank and our customers before they click.

Still, in the end, it comes down to being as vigilant as possible, and that means having as many people trained as possible and having the best multi-layered, cyber security software possible. Our customers should be protecting their systems the same way we are, which is why we work with them to stress the importance of being able to protect themselves, and how it goes far beyond simple antivirus software.

After all, while 2020 will eventually end, an end to the threats posed by hacking and phishing is, unfortunately, nowhere in sight. But together, we can help keep your business safe.

#BeCyberSmart #Cybersecurity #NCSAM2020