By Randy Johnston

Cybersecurity is a must, even you naively believe cyberattacks “always happen to someone else.” Spear-phishing, ransomware, data breaches, and identity theft represent truly significant threats to an organization, so these considerations, and more, should be part of your internal control structure. Fortunately, there are techniques and strategies you can use to limit these risks – but ignoring them is not one.

Types of Risk

New and sophisticated attacks and risks arise all the time. There are too many to enumerate in a short article, but here are just a few: phishing, tax-related identity theft, data breaches, ransomware, other viruses and malware, inadequate security among “the internet of things,” cyber-espionage, insecure passwords, unauthorized data access, and data stored improperly without controls.

There are a lot of statistics available on data breaches, exploits, and other attacks, but underlying them all is the key fact that, whether your organization is large or small, everyone is a target. To start, you need several smart actions to protect your organization. The following are just a few:

• Exercise due diligence in making data security decisions.
• Choose well-designed IT security policies.
• Select hardware tools designed to mitigate threats.
• Use software and services designed to mitigate threats.
• Deploy strong user authentication with multifactor capabilities, not just user IDs and passwords.

Elements of a Cyberattack

To improve your cybersecurity, consider what attackers exploit and what must be protected. First, protect your endpoints. These frequently are the target of an attack, and may include individual PCs, servers, networks, or cloud providers. The purpose of an endpoint attack is to control, corrupt, or disable that endpoint. Attackers look for vulnerabilities that permit the endpoint to be penetrated. Vulnerabilities can include software flaws, system design weaknesses, insecure configurations, and human error. Attackers use malware, which is malicious software. There are many different types of malware, and attacks often involve more than one strategy. Commonly, organizations are attacked via a delivery vehicle; malware is delivered to victim machines through a variety of techniques, from email phishing schemes to USB sticks. Finally, the method of execution is the means through which attackers get the resources necessary (including access, processing time, data, etc.) to execute an attack.

Common types of malware include ransomware, depositors, backdoors, credential stealers, viruses, worms, and vandalizers. Ransomware infections are designed to hold data hostage. They have been very active from late 2013 to the present. A few often-used ransomware infections include CryptoLocker, CryptoWall, and Locky. Typically, a user opens a program on a local PC that was emailed to the user embedded in a file or accessible via a web link. The malware then installs itself in numerous places and connects to a command and control server run by the perpetrators, which gives the ransomware a public key. This key is used to encrypt all the Office files, database applications, pictures, and more that are on a computer. Once the encryption is achieved, users are presented with an ultimatum: they must pay within 72 hours or the private key (needed to unscramble the files) will be destroyed. Recent variants have been infecting servers in public and private cloud installations.

Numerous CPA firms, health care entities, businesses, and government agencies have fallen victim to CryptoLocker. The ransoms demanded range from $300 to $18,000. Users must pay in bitcoin or by anonymous wire transfers. Anti-virus and anti-spam applications do not detect many variants of this threat, but strategies such as white listing, geofencing, and other techniques have slowed down the rate of infection. However, attackers are getting smarter and choosing new methods for attack.

Potential Tools to Prevent Cyberattack

A few defenses that have been used for some time include a well-maintained firewall and a backup system that runs almost continuously. A properly installed and maintained anti-virus product is the first line of defense, of course, but signature-based anti-virus products are not quite as effective as they once were. In a 2014 story in The Wall Street Journal Brian Dye, Symantec's senior vice president for information security, estimated that traditional anti-virus detects a mere 45% of all attacks. A properly configured firewall also will help protect your network, whether you are running in a public cloud or have created your own private cloud on-premise. Add to these encryption and identity management, including multifactor authentication, to bolster your defenses. Based on the payment card industry (PCI) compliance regulations that went effect Feb. 1, 2018, that requires multifactor for certain users and use cases, it would seem adopting multifactor authentication for all users is simply a best practice. To clarify, single-factor authentication is something you know, like a user ID and a password; multifactor authentication is something you know and something you have. The broad use of cell phones, the availability of inexpensive tokens, plus the availability of multifactor authentication from providers such as Microsoft and Google make multifactor authentication much easier to adopt. Finally, it may be time to consider security information and event management (SIEM) tools that can identify unauthorized or destructive behavior on your network.

Identity Security

When businesses and homes are attacked, often the thieves are looking for money or intellectual property. However, some attacks are focused on identity theft. Essentially, someone exploiting your personal information for their personal gain is the basis of identity theft. Here are a few examples from the dark web using the TOR network: $180 will buy you the login information for a PayPal account with a $1,700 verified balance; for $5,000, someone can obtain a “real” Social Security number, birth certificate, passport, driver’s license, etc.; or, for $100, someone on the dark web can obtain a credit card or access to a bank account with a $1,500 available limit.

There are numerous threats beyond those identified in this short article. Hopefully, you appreciate that the threats are real and there are reasonable steps you can take to protect your business, your family, and yourself.

Randy Johnston is a shareholder and executive vice president with K2 Enterprises LLC and CEO of Network Management Group Inc., a managed services provider. Concepts for this article were extracted from the security sessions produced as part of the 2019 K2 Technology Conferences and from Johnston’s own experience working with technology at various firms.

For more on cybersecurity check out these related PICPA courses.

Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.