Help small business clients deter cyberattacks

When it comes to cybersecurity in 2023, employees are usually the weakest link, ethical hackers told Canadian Underwriter.

This is especially true for smaller businesses, which often have no visibility into their corporate networks, little or no budget for cybersecurity, and no data recovery or response plan in place if things go wrong. Larger corporations are often subject to direct, brute-force attacks that are much more difficult to perpetrate, but getting an untrained small business employee to click on a phishing link is relatively easy, cyber experts say.

“Hackers aren’t wasting time trying to hack your firewall and get detected when all they have to do is send a crafted email to one of your employees and have them click on a link they’re not supposed to,” said Terry Cutler, an ethical hacker and CEO of Montreal-based cybersecurity firm Cyology Labs.

“When [the employee] clicks on that link, now [the hacker’s] become an insider. They bypass all your cybersecurity and now they’re in your system.”

The average time to detect a hacker is 286 days, Cutler said, so employees need training to help detect vulnerabilities.

“Most mail filtering technologies will pick up on a header that’s not quite right,” added Johnty Mongan, Gallagher’s global head of cyber risk management. “But if you directly approach the finance director with a very well-put-together email, there’s nothing wrong with that email.

“[Hackers are] just trying to rely on the fact that [a] person may be busy; they may trust that this is real email. The thing that’s been exploited is just a different part of the human psyche that’s not quite adept at picking up on malicious activity.”

Mongan, who does risk consulting, estimated 80% of breaches come from people. “If you were to look at where a hack is going to come from, you would apply a lot of your budget to the humans,” he says. “But more budget is applied to technology, which, statistically speaking, is the weaker bet.

“You should put more of your investment into people.”

Address the mid-market

Michael O’Connor is associate vice president of technology/cyber and professional lines at Sovereign Insurance. His focus is on small- to medium-sized companies and said gaining access through phishing “is not as difficult as the average IT person thinks it is.

“And that’s where we see a lot of our claims come from — more the phishing side versus the direct attack side.”

Cyberattacks on large corporations tend to make headlines — think Suncor, Indigo, Sobeys, and the Weather Network — but that’s “a very small percentage of what the overall loss profile looks like,” O’Connor said. “Part of the challenge from the insurer side is [making] smaller companies recognize they’re also vulnerable to attack.”

When you filter out attacks that rely on humans, technical vulnerabilities exist in a variety of places, such as end-of-life software, security misconfiguration or default passwords and remote desktop protocols. Even credential stuffing, in which an attacker uses a previously leaked username and password to exploit user accounts, remains an issue.

So, what can businesses do to improve their cybersecurity posture and help prevent losses?

The first step is knowing when somebody is on the corporate system by understanding what Cutler called an attack surface — whether a business could be attacked via the cloud, network, or endpoints such as mobile devices, desktop computers and servers connected to the network.

Investing in tools such as endpoint detection and response (EDR) solutions can help spot an attacker who might otherwise go unnoticed. Intrusion detection systems at the very least can notify a company that there’s unusual activity inside a network, O’Connor added.

“Most modern cars have an alarm system, same as houses,” Mongan said. “But for a network that is quite complex in its ingress and egress, I don’t feel like companies are investing enough in just sensors that spot unusual behaviour…

“If they had that, they may be able to jump on the problem quicker. You’re never going to be able to rub the problem out but may be able to respond to it better.”

But Cutler warned an EDR solution is not a cure-all. “A lot of times people will say, ‘Well, I have an EDR solution…on my workstation, so that’s all I need. But you’re neglecting to have your network and your cloud security on there, too.”

Patch things up

Companies should also have a formal patch management system.

Updating unsupported, end-of-life software is an easy way to prevent hackers from exploiting vulnerabilities. It’s an obvious solution, but it can be difficult for smaller businesses that can’t afford to spend $50,000 to buy licences and update systems and software, O’Connor acknowledged. And even if they have new software, “the problem with those is that it’s not fully secure out of the box,” Cutler added.

Businesses should also enable local administor password service, so every computer on the network has a different username and password.

“That sounds really basic [but]…in a physical sense, every door in the house has the same key,” Mongan said. “IT leaders are not taking the time to change the bespoke or specific username and password for each PC on the network.

“If they haven’t done that, an attacker can simply move around the network digitally with the same key, offloading ransomware or malicious code onto each of the machines,” he says, calling this a driver of “big claims” for Gallagher’s clients.

Hackers have even found a way to circumvent multi-factor authentication (MFA) through so-called ‘MFA fatigue’ attacks. For example, hackers can get a password from the dark web and then spam someone with, say, 30 MFA prompts. As soon as the victim says yes to one prompt, the hacker now has access to their account.

“We deal with massive claims from MFA fatigue, and it still surprises me that [it] is a thing,” Mongan said. “It’s almost like this passive trust in anything that’s on the phone.”

This is why employee training should be a strong area of focus. Sovereign Insurance conducts phishing campaigns with clients to simulate attacks and see which links employees click on, O’Connor said. If 10% of employees click on a fake gift card from the CEO, that indicates training is needed.

Small businesses often feel they’re too small to get hacked, Cutler said. But it’s not so. “The cybercriminals know that they don’t have the time, money or resources to deal with cybersecurity, so it makes them the Number 1 target.”

Feature image by iStock.com/sorbetto