By Dwayne Smith
It’s 8:16 p.m. on Dec. 16, 2022.
You’ve waited 13 years for the second “Avatar” movie, and you’ve just sat through 15 minutes of uninspiring previews. Now it’s showtime!
Just as the film starts, your phone starts buzzing. Over and over.
As the person next to you grumbles, you whisper to your spouse that you’ll be right back.
Thankfully it’s not the babysitter calling, but, unfortunately, it’s a moment you’ve been dreading: Your PEO has been hit by a cyberattack, a distributed denial-of-service (DDoS) attack to be precise. Your system is overloaded and none of your customers can access their data.
Customers are upset, colleagues are worried and you’re feeling overwhelmed.
With the phone ringing off the hook, you move to a place to work as you try to keep your wits about you. You envision your career flashing before your eyes. As the de facto person in charge of cybersecurity, you need to act! So what do you do?
This is the type of “what-if” situation that cybersecurity experts grapple with all the time in what is known as a “tabletop exercise.” It’s a way to help plan for the unexpected.
As someone who has spent the past 20-plus years studying cybersecurity and supporting commercial, defense and intelligence organizations, I joined the PEO space earlier this year because I saw an opportunity to help this industry improve its cyber protections. Doing so is vital to help protect them and the small- and medium-sized businesses (SMBs) that make up the lion’s share of companies.
The consequences of a cyberattack can be devastating. One often-cited study found that 60% of small companies go out of business after a cyberattack.
Keeping your fingers crossed is never a successful strategy. The entire organization must embrace cybersecurity and improve “cyber hygiene” (prioritizing risks) to be successful.
So what’s the next-big thing companies should be worried about?
Cyber experts are not fortune tellers—and the bad actors are surprise, surprise not forthcoming with their playbooks—but when it comes to cybersecurity trends, there are some clues.
News? You Can Lose!
Yes, deepfakes, social engineering—such as a fake email or text from a CEO—and other innovative cybersecurity attacks are emerging, but often what’s old is new again. There’s a reason why the occasional email slips past our spam filters from a certain royal highness from a foreign land who needs to get money out of their country with your well-compensated help: The scam still makes money!
Similarly, in cyberattacks, all it takes is one person to let their guard down and the whole organization and maybe even beyond it could be affected.
“Phishing”—trying to trick someone into giving out information—is not new, but the subject matter of these phishing expeditions continues to evolve. If something’s in the news, such as Hurricane Ian making landfall, it’s unfortunately fair game for phishing. Cyberattackers like to take advantage of people’s emotions and kindness.
Be wary of emails asking for help with relief efforts, especially those that try to use fear to pressure you to make a quick decision. Making sure you’re actually donating or contributing to the right people/organization is important to you and those who are in need of the funds.
DOWNLOAD OUR NEW E-BOOK!
The minute something doesn’t seem right in an electronic solicitation, trust your gut. Typos, odd-looking links, messages from organizations you aren’t used to dealing with, etc., should be red flags that are scrutinized thoroughly. Going directly to the organization’s website or calling a known and verified phone number directly, rather than clicking on a link or responding back in email, is essential. These steps should be part of a normal process when a customer’s or supplier’s information changes. When in doubt, this is the best strategy.
Remember, today’s cyberattackers grew up in a digital world, so they have ample experience crafting authentic-looking messaging—and causing pain.
For instance, ransomware, where a bad actor locks up your data or systems until you pay them, has evolved into what some are calling “destroyware.” What this means is the cyberattackers aren’t necessarily looking to make money but instead looking to take out data and devices in attacks that are often motivated by political reasons or former workers seeking revenge.
Unfortunately, we can expect more of this in 2023 and beyond as many bad actors now sell cyberattacks as a service. Essentially it’s like a SaaS business for hackers.
Caught in the Crossfire
There are many things that keep cybersecurity experts up at night. Here are a few:
- Accidental Attacks: You might be asking yourself, “How can an attack be an accident?” Here’s an example: A cyberattacker wants to go after a certain company so they research IP addresses. They think they found the right one, but that IP address is actually sublet to another organization. Also, IP address registration isn’t always 100% accurate, so the cyberattacker might have no real interest in your business, but you could be attacked by mistake.
- Collateral Damage: It’s also possible that a company you do business with is hit with an attack that could affect you. Either information is exposed or the attackers get access to your systems by exploiting others’ vulnerabilities. You might not be the intended target, but you get dragged into the fray nonetheless.
- Work Around: Cyberattackers, like anyone else, need practice, so going after a smaller “fish” with poor defenses can pay big dividends. First, they can learn what works and what doesn’t or, if they know you do business with a bigger “fish,” they can try to exploit your systems to try to attack the organization they really want to target or even the supply chain through Industrial Internet of Things (IIoT) attacks.
Where Should I Invest?
You’re probably asking what can I do to help secure my data in 2023 and beyond, especially when I’m on a limited budget? Good question. Here are my thoughts:
- Server Up: I think you should absolutely make the investment to review your processes while ensuring you are staying on top of who has access to what. Remember our tabletop exercise? Take the time to walk through scenarios now so you’re prepared down the road to maintain continuity and expedite recovery should there be a successful attack. It’s always best to have a backup server that’s already loaded and ready to go, whether internally or through a vendor, so if something happens to the main server, you can immediately go to the backup. In most cases, you can be up and running in an hour or less.
- Throw Back a Phish: One of the easiest and most cost-effective tacks you can take to change your cyberculture is through training and reinforcing messaging around not clicking on suspicious emails, texts or links. And that message should go out to the people who work for the PEO as well as the customers the PEO supports. Without a doubt, mistakes happen; people are human. But if something sounds fishy or too good to be true, it probably is. An organization’s cybersecurity is only as strong as the carefulness of the people using the networks and systems.
- (Multi)factor in Encryption: I highly recommend enabling multifactor authentication (MFA), which you’re undoubtedly familiar with by now if you’ve ever tried to login to an account and been asked to verify the login through a text message or email. MFA vastly improves security measures by ensuring the right person is able to log in to the right accounts. Also, using encryption to protect data as it is stored and transmitted across the network and on servers and devices is key. If a laptop is lost or stolen, for instance, you can be assured it would be extremely difficult to get the information off the machine if it’s properly encrypted.
When it comes to cybersecurity, everyone has a role to play. If the PEO industry works together and shares best practices, we can build a more cybersecure world together for everyone.
This article originally appeared in the December 2022 / January 2023 edition of PEO Insider magazine.
Dwayne Smith is PrismHR’s chief information security officer (CISO). A native of Kentucky, Smith possesses more than 20 years of experience supporting commercial, defense and intelligence organizations. He is also the author of the new e-book, “A Cyber Primer: The HR Outsourcer’s Guide to Cybersecurity.”