1 week Ago By Carrie McDermott
All businesses, regardless of size, need to consider themselves technology companies if they rely on the internet for operations. Jon Waldman, president and partner at SBS CyberSecurity in Madison, South Dakota, shared this message in an effort to help organizations rethink the way they protect themselves. “It’s a mindset shift, because if you at least realize that you are a technology company, then you think of your organization differently,” he said.
ADVERTISEMENT The 2023 Internet Crime Report by the FBI Internet Crime Complaint Center (IC3) revealed increases in the frequency and financial impact of online fraud by cybercriminals. The IC3 received 880,418 complaints from the American public in 2023 with potential losses exceeding $12.5 billion, an increase of complaints by nearly 10% compared to 2022, and a 22% increase in losses.
The most frequently reported crime in 2023 was phishing schemes, accounting for about 34% of all complaints reported. Waldman shared an example of a small florist shop that’s not heavily reliant on technology but does use it as part of day-to-day operations. The sole proprietor uses the vendor Square to accept credit card payments.
One day, someone texts and calls the shop pretending to be a representative of Square – a person the business owner is familiar with. The owner was busy and didn’t ask enough questions about the information being requested, and the “threat actor” took advantage of that. The threat actor was able to get the business' credit card information and by the next morning, the business owner discovered $5,000 worth of fraudulent charges on their account.
“A lot of small businesses in particular will tell themselves a really bad story,” Waldman said. “And they'll make excuses, and they'll say, ‘Well, I'm a small business in the middle of nowhere. I'm a floral shop in the middle of Madison, South Dakota.
Nobody knows who I am. Nobody knows what I do. Nobody knows I'm not valuable.
’ And I say people tell themselves a bad story and they make an excuse because those things are not true. The vast majority of cybercrime is simply a crime of opportunity.” Waldman said it doesn’t matter what size the business is, what sector it’s in or how much revenue it brings in, although small businesses can be more often at risk due to limited resources.
“A bad guy doesn't care. A threat actor, a cybercriminal, doesn't care about any of those things. To a bad guy on the internet, you're a number, that's all they're interested in,” Waldman said.
“They’re looking for victims of opportunity, which is why we call it crimes of opportunity. The vast majority of cybercrime is automated today, automated to the point of compromise.” Cybercriminals take the path of least resistance, the low-hanging fruit.
Waldman says they’re looking for vulnerable IP addresses or vulnerable devices connected to the internet that can be compromised. Sometimes the target is not the organization hacked – it’s a vendor. In 2013 during the Christmas holiday season, retailer Target sustained a major data breach after hackers entered the digital systems of one of its vendors — an HVAC company in Pennsylvania.
Target’s point-of-sale machines had been compromised and as a result, 70 million of its customers’ personally identifiable information and 40 million customers’ credit card information were stolen. ADVERTISEMENT Scott Kaylor is senior manager for Business Services at NISC (National Information Solutions Cooperative) in Mandan, North Dakota. NISC is an information technology company that works primarily with its member-owners, which are utility cooperatives and broadband companies across the U.
S. Kaylor said his organization has seen an increase in ransomware threats, noting 31 attacks on its member-owners since November 2021 and 11 last year, with 8 in the fourth quarter of 2024. It’s now common knowledge that an organization must have its technology protected using things like firewalls and endpoint detection systems, for example.
The biggest weakness of most organizations is the employees, Kaylor shared. Educating employees on cybersecurity and regular training throughout the year is crucial to ensure social engineering attempts are thwarted. Social engineering can be phishing, which can come via email, SMS, social media and other types of personal communications.
According to the FBI, about 98% of cyberattacks use some type of social engineering to cause a breach. Kaylor said NISC provides cybersecurity resources for its member-owners, along with support and education. The organization works closely with the North Dakota State and Local Intelligence Center, which takes reports of crime as well as sends out notifications about criminal activity.
“They (cybercriminals) are preying on you and me as an end consumer of utility and telephone broadband service, meaning, ‘I'm going to try to get Scott Kaylor's email and address for NISC smart hub to pay my bill,’ and then they work their way into the organization where they're targeting end users. They’re trying to use that to social engineer into a business. So that's also an important thing to notice, and we have.
It's pretty important. And I think that's an eye-opener for a lot of people,” Kaylor said. “We're in tax time right now, so everybody's busy doing their taxes, and that's a great time for threat actors to try to social engineer employees and basically anybody, to be honest with you, but they could do that through a business as well.
So they'll use the time of the year, whether it's Christmas, tax time, or even a natural disaster,” he said. Kaylor said businesses should have layers of defense. First, make sure every employee has good password hygiene and password rotation.
“I like to use the word passphrases because they’re much easier to remember. And you can do 20- or 30-character passphrases, like ‘I like to hunt pheasants in North Dakota,’ and you can put special characters. It's a lot easier to remember than a 20-character password.
So I try to educate them to use passphrases versus passwords.” ADVERTISEMENT Another way to tighten security, Kaylor said, is to use multifactor authentication. It can be used on social media accounts, bank accounts, utility accounts, and anywhere a person wants to increase their cybersecurity, noting that threat actors will see that and often move on to someone else.
“You're making it more difficult for them. So they're going to pivot and go with somebody else that they can prey on, that don't have that,” he said. Overall, every organization should have the mindset that “it's going to happen to me.
” “From a business perspective, think ‘We are going to have a threat actor on our network.’ Having the tools and getting the visibility to see when a threat actor gets on the network and starts to elevate privileges or look for how they can exploit vulnerabilities on a network, having those tools that'll pinpoint that, and having that monitored by someone 24/7 is really important,” he said. “And just like anything else, and everybody kind of knows this, but patching your systems, patching your phones, patching your PCs, patching your servers, that's important.
” Cybersecurity expert Tom McDougall, CEO of Highpoint Networks, Sioux Falls, South Dakota, emphasized the necessity of ongoing education and training for IT professionals to address constantly evolving cyber threats. He pointed out that although tools such as AI and endpoint protection are essential, human error continues to be a major vulnerability. “As a company that considers themselves fairly good on the consulting side of this, we also use tools.
We have those same attacks,” McDougall said. “We have the same things happen. We have people in our organization who get an email that looks legitimate, and they open it and it's not legitimate, and we've had a few instances where it's initiated an attack.
We have tools in place that can stop those. We know how to do that, but that still doesn't prevent the initiation from happening. Really, it’s training.
It’s giving people examples of what they might see.” McDougall said companies need to examine how they back up their information and look for gaps between backups and production sites. ADVERTISEMENT Ransomware is another type of cyberattack that holds an organization’s data hostage until a ransom is paid.
McDougall shared an example. This is where having cyber insurance can mean the difference between a business being able to recover its operations or not. “We had one instance where a company had been infiltrated for several months before a ransom was initiated.
But in the forensics component of that, we found that they already knew what their insurance policy was going to pay. They already knew their employee list and their customer list. Let's say that their limit on liability, from an insurance perspective, was $2 million.
How much do you think the ransom was for? Two million dollars,” McDougall said. “We've even had instances where companies have been hit more than once, and I suspect that will be more and more often. I really wish these people who are doing that would use their intelligence for something good instead of something bad.
” His final piece of advice – when in doubt, don’t. If there’s a question, ask. “The three-letter agencies will tell you that more and more people have access to our data.
They just don't know what they're going to do with it. So we just have to do everything we can to protect ourselves and make sure we have good backups,” he said..
