It’s estimated that 55% of organizations experienced a cyberattack in the past year, many of which went undetected.
Not only are the threats of cyberattacks rising, but so is the level of disruption and damage they cause. In addition to direct financial losses, the adverse impacts on an organization’s reputation and operations can be even more severe and long-lasting.
And it’s not just large corporations being targeted.
“If you think it can’t happen to your organization, think twice,” cautions Ron Borsholm, B.C. leader, cybersecurity services, for MNP. “Successful attacks have been made on small businesses, retail chains, post-secondary educational institutions, not-for-profit organizations and even minor hockey associations. Hackers don’t discriminate.”
According to Borsholm, spear phishing and ransomware are two of the most common cyberthreats.
Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. In one recent case, an organization lost significant money when its accounts payable clerk was targeted and asked by email to change a vendor’s banking information. The criminals then sent fake invoices to the organization, which were paid using the altered banking information.
In another case, the chief financial officer at a not-for-profit received an email that looked like it was from a bank the organization used. It asked her to update her user ID and password, and in the rush of a busy day she quickly complied. A few days later, it was discovered that hundreds of thousands of dollars had been stolen and wired out of the organization’s account.
Ransomware is a type of malware that prevents users from accessing their computer system unless a ransom is paid. In most cases, users click either an attachment in an email or a link on a web page, which leads to their systems being compromised.
Borsholm recalls a small liquor store that recently fell victim to such ransomware. While the company was asked for a ransom of only $500 in bitcoin (which it paid), it cost more than 10 times the ransom amount to fully restore its computers to a secure state. To add insult to injury, the perpetrator sent the business owner an unofficial receipt thanking them for their “involuntary purchase.”
“Many of these organizations did not have sufficient internal controls in place, such as policies, procedures and training, to prevent this from happening,” says Borsholm. “Other organizations put controls in place but then fail to test them to ensure they are working correctly.”
For example, in another ransomware attack in B.C., a company discovered its computer backups had not been working.
“Without any backups, the company was essentially left crippled with a total loss of over six months of operational and financial information until the ransom was paid,” says Borsholm.
Organizations that accept credit card payments face another concern. Under their merchant agreement, they are required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS).
“The PCI-DSS is a standard which requires a basic level of security, and a lot of organizations aren’t aware of it,” Borsholm explains. “As a result, they don’t follow common security practices, which leads to potential credit card breaches.”
Peter Guo has been working in IT security and audit since 1999 and is MNP’s B.C. leader for enterprise risk services. He says the first step in protecting your organization is to fully understand your specific situation.
“Do you know what your critical data is and whether that type of data is being targeted? Do you understand the strengths and weaknesses of your technology? What are the threats and what internal controls do you currently have in place?”
Guo recommends a maturity and threat analysis as a good starting point. This analysis provides the information you need to prioritize your risks and appropriately protect your organization.
Education across the organization is also critical through a formal and recurring awareness campaign.
“Good cybersecurity isn’t just a matter of putting protective technology in place,” Guo emphasizes. “Threats and technologies constantly shift, and people need to be constantly reminded to stay vigilant. As organizations change, people enter new roles and have access to different systems, information and data; they need to know what’s expected of them when it comes to cybersecurity.”
MNP offers a wide range of cybersecurity services including maturity and threat analysis, PCI compliance consulting and audit, network vulnerability and penetration testing, and internal control assessments.
In our increasingly connected world, cyberattacks are happening with greater frequency and present a very real risk for businesses of all sizes. If you’re not sure about your organization’s ability to withstand one, take action today to avoid a crisis and protect your company’s assets.
To find out what MNP can do for you, contact:
Peter Guo, MBA, CPA, CA, CISA, CRISC, CITP, ABCP
B.C. Enterprise Risk Services Leader
B.C. Leader, Cybersecurity Services