In a world before social media, one with less people on the planet than electronic devices connected to the internet, shoplifters and annoying computer viruses posed the biggest threats to small businesses.
But in the world today where connected devices outnumber people new data from the National Cyber Security Alliance suggests that almost 50 percent of small businesses have experienced a cyber attack, more than 70 percent of attacks target small businesses and as much as 60 percent of hacked small and medium-sized businesses go out of business after six months.
As October, which is cyber security month, approaches, Zions Bank hosted on Tuesday a special presentation at the Shoshone-Bannock Hotel and Event Center aimed at helping businesses reduce their risk of cyber security attacks with keynote speaker, Dean Sapp, the chief information security officer at Braintrace, covering myriad security topics ranging from prevention and recognition to the types of security breaches and data hacks prevalent today.
“Firstly, I encourage companies to get a risk assessment where the entire executive team sits down together and discusses the aspects that bring revenue into your business and how you protect things like money or intellectual property,” Sapp said. “Then once you get a risk assessment, be sure to follow the recommendations. We have had many clients that have had a risk assessment and ignored it for six months and then they had a data breach.”
The most common cyber attack happening right now is called a Business Email Compromise or BEC attack, Sapp added.
A BEC is a sophisticated scam targeting both businesses and individuals performing wire and transfer payments, according to the Federal Bureau of Investigation. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
“With BEC scams, bad guys want to go after Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms, money wires and (direct) deposits — they want to go after anything where you are moving money or you have documents of material value like patents, copyrights or trademarks,” Sapp said. “We see a lot of law firms, real estate and title companies being targeted right now. The bad guys want to get into a person’s inbox to forward all messages to another account. That is a potential huge risk. Then the bad guys are now going to send a message to every one of your clients as if they were the law firm so that they can try and compromise the clients’ inbox. This massive web of fraud and deception just spreads from there.”
Sapp said that hackers utilize sophisticated methods to create BEC scams, oftentimes disguising harmful links or pages with sites that look identical to actual websites. The difference is that instead of logging onto or accessing the site or information, the user instead accesses a fake account or page that can allow a hacker to install harmful software such as keystroke loggers onto the device remotely. From there, it’s only a matter of time before hackers can access username and password information.
“There are several steps that these bad guys go through,” Sapp said. “In terms of planning the attack, they do reconnaissance and learn about the social media habits or what a person or group likes to do. Then they will scan your business and around the internet to see if there are any weaknesses they can point out.”
Sapp continued, “Then they go through the steps of trying to gain access to your accounts or to fake the account so that they can trick you or your employees into responding. Once they are in they want to maintain access until the proper time. What you will find is that hackers are pretty patient. They are waiting for the right opportunity, someone will go on vacation or be unavailable for a period of time and that is the time they try to go in and steal things.”
Statistical data from the FBI shows that BEC scams continue to grow and evolve — targeting small, medium and large business and personal transactions. Between December 2016 and May 2018, there was a 136 percent increase in identified global exposed losses.This type of scam has been reported in all 50 states and in 150 different countries.
Data from the FBI suggests that Asian banks in China and Hong Kong remain the primary destinations of fraudulent funds, but financial institutions in the United Kingdom, Mexico and Turkey have also been identified as prominent destinations, according to the FBI.
Though some cyber attacks are unavoidable, Sapp said encouraged people to engage in several best practices to become a harder target for hackers to pinpoint.
In addition to conducting a risk assessment and following all recommendations, Sapp said it’s best to not always rely on information technology (IT) staff to do most of the gritty security work.
“IT staff are often overwhelmed and booked with things to do for their entire day coupled with security usually not being a priority focus,” Sapp said. “If you’re trusting them to become the security experts that can be a challenge. Sometime you need really good experts.”
Sapp also recommended adopting a security policy framework. The Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security.
“The CIS 20 is my favorite,” Sapp said. “Over the last 10 to 15 years the CIS has gathered data about the controls that would significantly reduce the likelihood of a data breach, if implemented. The CIS came out with 20 areas to focus on and if you are a small business that adopts three or four of these you have a fighting chance.”
Lastly, Sapp recommends using a two-step verification process as well as password vaults to create and/or store passwords so that not all passwords are the same.
Another line of defense is Positive Pay from Zions Bank. Positive Pay is a verification service that helps businesses identify and report fraudulent and unauthorized payments. Zions Bank has Positive Pay services for both checks and ACH direct deposit.
“Positive Pay is a program where people send information back and forth to the bank,” said Cameron Cook, the senior relationship advisor for business payments and technology at the Zions Bank in Idaho Falls. “Positive Pay can be initiated on the client’s end where they send us files and information that we code with transactions or we send them a list of transactions and they verify the checks on their end.”