By Tom Still
MADISON, Wis. – Here’s a holiday office gift no business should want. Sophisticated cyber-tieds have taken to delivering innocent-looking packages, usually without any department or person named, in anticipation they will sit unnoticed and unclaimed on a mailroom shelf for a while. Inside the package: Devices that can remotely steal or compromise a company’s digital data.
Merry Christmas! Happy Hannukah! You’ve been hacked.
While a non-conventional example, the unmarked package trick – called “warshipping” by some – illustrates the lengths to which some cybercriminals will go to gain access to corporate data, with all the trade secrets, financial accounts, passwords, codes and other sensitive information inside.
The rising challenge of cybersecurity for businesses of all types and sizes was examined during a recent meeting of the Tech Council Innovation Network in Madison, where the head of a leading business organization and two seasoned technology consultants offered tips and ideas for how companies can aggressively defend themselves.
Hint: It’s not all about the technology, but also better training, breaking bad digital habits and improving corporate attitudes.
“Hope is not a (cybersecurity) strategy,” said Buckley Brinkman, executive director of the Wisconsin Center for Manufacturing & Productivity. The WCMP, which is part of a national network of similar organizations, recently surveyed about 400 C-level executives statewide on a mix of issues and learned some are overconfident when it comes to cybersecurity.
Even though one in six Wisconsin manufacturers reported a data breach of some sort, 85% of those who have not been hacked said they are confident – even hopeful — their data is secure.
In a world where cyberattacks are predicted to cause $6 trillion in economic damage in the coming year, companies should take security seriously at several levels, two other experts noted.
Jim Blair of Aberdean Consulting and Todd Streicher of CyberNINES, both based in Madison, said a combination of steps can help better protect businesses and organizations of all sizes. They agreed companies are far better off getting ahead of trouble than waiting for a breach to happen, especially when such attacks aren’t often noticed right away. Some advice:
- Use multi-factor authentication across data platforms. Often called MFA, such systems require users to provide two or more verification factors to gain access to resources such as applications, online accounts or a virtual private network, or VPN.
- Back-up data and systems on a regular basis. Some company leaders may think their digital assets are securely copied, but that can depend on systems and platforms.
- Change weak or easily guessed passwords.
- Budget for the technical resources that can wind up saving money later.
Perhaps the biggest defense recommendation is reducing the odds of human error. Training programs can help employees better identify common threats, such as “phishing” emails.
Phishing represents about 90% of all organizational attacks. Such attacks take place when an attacker pretends to be a trusted contact, thus enticing the user to quickly click a link or attachment that downloads a malicious file. That usually provides access to sensitive information, account details and more.
Like the “warshipping” packages, phishing attacks are becoming more clever. Attackers can pretend to be the boss asking an employee to transfer money from one account to another, for example, with the destination account being bad news for everyone involved except the hacker.
Often gamified and entertaining, cybersecurity training platforms can help employees better identify phishing and malware attacks before they happen.
With insurance companies becoming a lot pickier about cybersecurity insurance and government agencies setting more stringent cybersecurity standards for private contractors, the stakes are getting higher. Business leaders can’t just “hope” their data systems are secure, but should take steps to make them so.
Still is president of the Wisconsin Technology Council. He can be reached at email@example.com.