Companies that fall victim to a cyberattack, however, often suffer more than the loss of valuable assets. They face reputational damage, operational downtime, the theft of sensitive customer data, and millions of dollars lost due to inoperable systems. The good news is that many cybercriminals follow predictable patterns when it comes to the kinds of attacks they launch.
Government agencies and cybersecurity entities have already had success using criminals’ habits against them. Your company can similarly combat many cyberattack vectors by taking a few key steps and shifting your focus.
Here are a few common cybersecurity mistakes to stay away from to safeguard your organization.
#1. Failing to Update Your Systems
One of the most common mistakes companies make is to think of cybersecurity as “set it and forget it” measures they can put in place one time and then focus on other endeavors. The truth is you need to constantly update the elements that make up your cybersecurity defenses:
- Operating systems
- Antivirus and antimalware software
- Hardware, such as firewalls
- Software security systems, such as cloud-based security information and event management (SIEM) tools, email protection solutions, software firewalls, and others
By ensuring these and any other cyber protections are updated, you take advantage of the patches manufacturers release to address vulnerabilities.
#2. Underestimating Cyberattacks
An IBM study found that a data breach in 2021 cost $4.24 million on average. However, costs can easily soar, such as in the case of the NotPetya attack, which cost $10 billion; MafiaBoy, $1.2 billion; and even the first internet worm, which might have cost companies and people as much as $100 million in damages. Organizations also had to pay millions of dollars in cyberattack settlements.
Ransomware attacks, which involve a cybercriminal taking control of a system and holding it hostage until the target victim pays a ransom, have been particularly potent attack vectors. For example:
#3. Not Training Employees on Cybersecurity
Because cybercriminals often use employees to gain access to a company’s system, leaving them untrained opens the door wide for these opportunistic predators. To ensure employees know what to look for, what to do, and stay on the alert:
- Communicate the possible impacts of a breach
- Teach them about the different kinds of threats on the landscape
- Make your cybersecurity messaging easy to understand
- Include cybersecurity training as part of your onboarding process, reiterating key messaging throughout the employee lifecycle
To help you get started, these security companies provide a range of training programs for various types of users:
#4. No Effective Testing Process
Testing your cybersecurity system is critical. Service providers and manufacturers can claim their solutions will adequately protect your system, but testing is the only way to verify whether you have the safeguards you need. It can be tempting to think, “Well, we haven’t been attacked yet, so we must be doing something right.” While this may be true—at least in part—it could also mean that you just haven’t been hit by the attack that your system can’t handle.
It’s similar to a home security system. A house with a well-protected front door may not get broken into for years, but that may be because the house owners have yet to meet a thief who knows how to access a second-floor window. When the home faces this kind of attack, its other defenses will be meaningless.
The same thing can happen with your organization's cybersecurity defense system, and this underscores the value of testing. For example, if your antimalware is top-notch, fully updated, and feature-rich, you can successfully rebut malware attacks for years. But that may not protect you against a whale phishing attack that tricks an executive into providing their login credentials. On the other hand, if you regularly test all facets of your cyber defenses, including how employees and executives react to attacks, you stand a better chance of revealing a weakness—and fixing it.
To ensure your defenses are adequate, you can:
- Hire a penetration tester to assess your cyber defense technology
- Hire a white hat hacker to attempt to bypass both your cybersecurity tech and employees
- Use a cybersecurity testing tool
#5. Not Focusing on Email Security
Email security should be paramount in your cyber defense strategy because email is one of the most common attack vectors. This is because employees generally use email for work, and many companies have their own email systems that they give employees access to.
Email is commonly used to launch:
- Phishing attacks
- Get malware onto users' systems
- Deliver ransomware
- Execute business email compromise (BEC) attacks, which are a kind of phishing designed to trick someone into sending money
Focusing on email security allows you to cover several cybersecurity bases at the same time. For instance, if employees know the kinds of links not to click, you strengthen your defenses against all of the above attack vectors. Further, if they understand what to look for if an email brings them to a site asking for login information, you protect both your organization’s access credentials and your employees’ personal and financial accounts.
How Weak Email Security Resulted in Millions of Dollars Lost to Evil Corp
Despite the range of high-tech, intricate, and complicated attack methods hackers use, one of their favorite go-to vectors is email phishing. Several organizations learned this the hard way, thanks to a series of attacks levied by hacker coalition Evil Corp. The U.S. government and Britain’s National Crime Agency (NCA) and National Cyber Security Centre (NCSC) joined forces to track down eight members of the group and sentence them to a total of more than 40 years in prison.
Here’s how the hackers stole around $100 million and how they were eventually apprehended.
- Online forums for organizing criminal activity: Cybercriminals led by Maksim Viktorovich Yakubets, nicknamed “aqua,” used an online criminal forum called DirectConnection to get together and organize attacks and the infrastructure needed to cash in. Yakubets set up a subforum within DirectConnection specifically for banking fraud. Here, Evil Corp members could meet to discuss their strategies.
- Phishing attacks to obtain banking credentials: Attackers then sent phishing emails to people who worked for organizations, requesting login credentials for either bank accounts or payroll accounts. Once these were obtained, the hacker immediately sent the information to the others in their criminal network using DirectConnection. The information was then used to hack into an organization’s account, gaining access to their payment system.
- Money mules for funneling the money to cybercrime bosses: Mules, who had been well-tested and vetted beforehand, were then sent a message saying a “client” was to send them money. They were directed to take their portion of the cash and then send the rest back to Evil Corp’s bosses.
How the Authorities Brought Down Evil Corp
While the DOJ and the FBI declined to provide specifics, they did reveal some information regarding how they managed to catch the eight members of Evil Corp—through their own money mules.
Each money mule had to submit their bank account information to Evil Corp during the recruitment process. Law enforcement then found the mules and used them to track down Evil Corp members. The mules, while less skilled and experienced than the hackers giving them orders, were an essential element of the scheme. They received and forwarded stolen money, so government officials got to the big bosses through them.
Even though Evil Corp has finally been brought down, its success is a sobering reminder of the importance of cybersecurity vigilance.
Proactively Defend Your Cyber Ecosystem
By updating your cybersecurity tools, recognizing the damage a cyberattack can inflict, training employees, testing your defenses, and focusing on email security, you are in a much better position to defend your organization’s cyber ecosystem.
The cost of a single breach justifies virtually any expenditure required to fortify your security defenses, but in many cases, you can bolster security relatively inexpensively. The key is avoiding a "set it and forget it" approach and constantly revisiting your solutions to test for any sign of weakness.