If you think you have cybersecurity under control, think again. While familiar threats such as ransomware are still dangerous for firms, new threats are emerging every day that are even more difficult to identify and keep under control. Dealing with them requires aligning technology, strategy and employee training in a holistic approach to cybersecurity.
Cyberattacks come from all sorts of angles and sources. Most would-be cybercriminals still use phishing, generally by sending malicious links via email, to break into systems. But there’s a lot more to the evolving cybersecurity landscape than just phishing, which itself is still a massive threat.
The list of top cybersecurity threats is growing
Consider some of the following evolving and new threats firms now have to deal with:
Attacks on zero-day vulnerabilities
While nothing new, these attacks are on the increase. In an attack on a zero-day vulnerability, cybercriminals find a way to get around security weaknesses in applications that developers haven’t yet had a chance to fix. Essentially, when a zero-day vulnerability exists, attackers try to exploit it before software developers can fix it.
Chasing down and fixing zero-day vulnerabilities in order to prevent attacks keeps developers busy. Late last summer, Microsoft released 64 fixes for zero-day vulnerabilities, one of which attackers were actively exploiting. In just one week last year, Google released six updates targeting zero-day vulnerabilities. As of fall 2022, there were 1,200 known zero-day vulnerabilities, each of them providing an easy path for a cyberattack. That number is unlikely to decrease.
It’s like phishing but for cell phones. And while it’s also not a new threat, it is one that’s becoming increasingly common and sophisticated. An employee receives a text message that looks legitimate or intriguing and clicks on a link, triggering malware that an attacker can use to steal your firm’s data.
Smishing is especially insidious because while employees might be careful not to click on a link in a work email, they’re not as likely to be as careful with text messages. This is not a small problem, either. Americans receive more than 40 spam texts per person per month, and nearly 70% of recipients don’t know they’re being targeted by smishing attacks.
A successful cyberattack on one application can lead to others on different apps—or on different organizations. For instance, an attacker breaches one organization, steals all the logins and passwords there, and uses them to break into networks of similar businesses. Why does that work? People will often use the same login and password for, say, accounts with different airlines. So, when an attacker steals login information for Airline A, there’s a good chance that those credentials will also work for Airlines B and C, too—and maybe even for rental car companies and hotels.
What does that have to do with your accounting firm? If your employees use the same credentials for your tax program, your accounting application, your research software and your practice management system, then a breach of one of those applications can easily lead to a breach of all of them. Users need at least a different password for every application. Your firm needs to implement multifactor authentication for logins—which is an IRS requirement if you’re processing tax returns, anyway.
It’s also critical to terminate an employee’s credentials when the person leaves the company. An old password led to an attack in 2021 that leaked data for 8.4 billion accounts and caused fuel supply disruptions on the East Coast.
This is another familiar threat that’s getting worse. Two factors are making this familiar threat progressively more dangerous.
One is double extortion. In the past, cyberattackers encrypted a victim’s data and delivered a key to unlock the data after receiving a ransom. Now, attackers steal data and try to monetize it. They threaten to leak data within hours after theft and hit victims with denial-of-service attacks if they refuse to pay quickly. They also encrypt data and sell it anyway, whether they receive a ransom quickly or not. Other attackers can then use compromised credentials to get into the victim’s systems as well as those of the victim’s partners and clients.
The second exacerbating factor is that ransomware has become a lucrative business for vendors of cybercrime. Ransomware-as-a-Service (RaaS) vendors have popped up recently, developing data-stealing applications for cyberattackers and sharing the money derived from sales of stolen data. RaaS lowers the barrier to entry for would-be cybercriminals by reducing the expertise needed to develop effective applications for data theft.
In one study, 66% percent of businesses reported being hit by a ransomware attack in the last year. Of those, nearly half paid the ransom, but only 4% of that group got all their data back. The average cost to remediate a ransom attack was $1.4 million.
Here’s where attacks start to get sneaky. In conversation hijacking, malicious emails don’t come from a random source or from some poorly disguised fake bank or service provider. They appear to come from people you trust—fellow employees or maybe your boss. Conversation hijacking is becoming more popular because when it works, it works well for cyberattackers and generates huge paydays.
Essentially, attackers get into an employee’s email account and monitor activity. When they notice payment transactions, logins, passwords, verification information or any other critical pieces of data, they jump into the conversation and say money needs to be transferred to a different account or offer a new account number. The money goes straight to the attackers. Again, the email appears to come from a fellow employee or trusted source, so victims don’t necessarily question the interaction.
Small businesses are much more frequent targets of this sort of attack than bigger companies, so your firm is at high risk. The best thing for users to do when they spot something suspicious is to contact the emailer via another method, such as phone, for confirmation that the message is real.
What once was the stuff of dystopian science fiction has entered the very real realm of cybersecurity. Attackers are using the type of artificial intelligence you might have read about to imitate voices or even create authentic-looking fake videos. The applications required for creating deepfakes are cheap—sometimes free—and are readily available and easy to use.
Deepfakes get results. In one case, bogus audio led to the theft of $35 million. One cryptocurrency executive found that scammers had successfully created a hologram of him to target unsuspecting victims. In some cases, cybercriminals have actually used deepfakes to apply for, and get, jobs as remote tech-support staff with companies, enabling the attackers to have first-hand access to critical customer data.
In general, deepfakes are convincing but not perfect. If employees suspect anything is amiss—maybe they didn’t expect contact via video from a colleague or client, or maybe a voice sounds a little flatter than usual—they should arrange to contact the other person via another method. A phone call will usually suffice as long as the employee uses an existing number for the contact and not one provided by the scammer.
How firms can avoid top cybersecurity threats with Smart Security Management
The rapidly changing cyberthreat landscape can seem overwhelming, and it should. Just one successful attack could destroy your firm. But you’re far from defenseless. The key is to take a holistic approach to cybersecurity, one that involves protecting networks and devices as well as training employees to avoid potential threats.
Your firm needs to take a set of security measures in order to ensure protection of your clients’ data from multiple forms of threats. It’s not necessarily an easy set of measures to follow—unless you run critical applications in the cloud and turn maintenance, updates and security over to professionals. Finding a dependable provider of employee security training is essential, too.
Here are some critical cybersecurity measures for firms:
Validation of trusted users only
This starts with using a professionally installed and properly maintained virtual private network (VPN). Employees should never use public Wi-Fi; a 4G or 5G mobile hotspot is a safer option. That goes not just for airports and coffee shops but also for clients’ offices as well. Clients might already have a keyboard logger running on their networks, tracking every keystroke in the office and stealing credentials. Unfortunately, you really can’t trust any setup but your own—and your setup is much more secure if you’re trusting it to a cloud provider.
Along those same lines, don’t give an administrator password to just any employee. Keep those for IT professionals and firm owners only. Everybody else can connect to individual applications as needed with a different password for each app.
An updated data map
You need to know exactly where your firm’s data is located, whether it’s stored in the cloud or on a server in your office. Document management, tax processing, payroll—everything lives somewhere, and you need to know exactly where. You also need to establish an order for restoring data in case of a disaster. For instance, during the last four weeks of tax season, document management and tax apps are mission-critical. You would need to restore those first if a calamity occurred. Time and billing apps, on the other hand, could come back online later.
All of this, of course, will be much easier for your firm if a cloud provider stores and manages your data and creates a comprehensive data map for you. The less data you store on your own, the fewer problems you’ll have protecting and recovering critical information in case of an attack or disaster.
Remember, too, that if you prepare taxes, the IRS requires your firm to have a written security plan in place for dealing with a data breach.
Constant infrastructure updates
You need to update your technology components constantly. That means keeping your antivirus up to date as well as your operating system, routers, server infrastructure, storage devices, plug-ins for video capabilities and basically anything else you use that needs updates.
That’s a lot of work for you to take on yourself, but a cloud provider can help keep many applications up to date, and a managed IT service provider can maintain just about everything in your IT infrastructure. You also need intrusion detection and monitoring as part of your IT setup, something that’s almost never present in on-premises IT models but is almost always available through a cloud provider.
Your firm also needs to secure its devices, such as your computers, and not just your server infrastructure. The right security partner will provide protection for the devices your employees use to access critical information, as well as the network the information resides in. Device security is critical, but it’s very difficult for a firm to carry out on its own. Finding the right partner is key.
A zero-trust mindset
As cumbersome as it might seem, the safest way to have employees log into apps with databases that contain critical information is to have them login to each one individually every time they access a particular app. That means taking the time to log in to, say, document management and then log out again once finished. The employee should only stay logged in while using the app. Taking just a few seconds to log in and out can help prevent a catastrophic data breach.
Passwords should be strong; not so much a mix of letters and numbers. Passwords should be a phrase of several words strung together, totaling at least 14 characters in length. Of course, employees should use different credentials for each application. Changes should alter the password significantly. No more “password1” and then “password2” three months later.
Password managers, sometimes called password “wallets,” are also a good idea for keeping credentials safely accessible. And never, ever use a password “tester;” those are mostly data-stealing scams set up by cybercriminals.
Other security notes: Never use USB devices, and never use Windows 7. The old Microsoft operating system is known to be compromised. If you have a Windows 7 computer in your possession, destroy it and throw it away.
Your people are your last and best line of defense against a cyberattack. They need to know how to avoid the many threats that they will encounter in their daily work lives. A malicious link that’s never clicked can’t really do any damage. But with cyberattacks becoming more sophisticated, your employees need reliable and constant cybersecurity training if you want to keep your firm safe.
When dealing with people, make sure to do background checks on prospective employees before hiring them. Or consider bringing them onsite for an interview. Just one visit from a cyberattacker can leave malware stealing your firm’s data.
Stay ahead of top cybersecurity threats in the cloud
Another important security measure firms should take is buying cybersecurity insurance. But the first decision your firm should make is to run operations in the cloud.
Whether you turn critical business applications, including QuickBooks® Desktop, over to a cloud provider, or choose a managed IT provider to manage the bulk of your IT infrastructure, a cloud provider offers expertise, facilities and experience no firm can realistically match internally. And with cybersecurity becoming a more complex operation all the time, peace of mind is worth the investment.
Are you ready to protect your firm from emerging new threats? Get started here!