Simple Steps to Improve Protection Against Non-Targeted Cyber Attacks
For financial services companies, including factors, cyber attacks are a continually growing threat and have been for years. To defend against threats, companies must invest in two-factor authentication and universally utilized anti-virus and anti-malware systems.
BY ADAM LOMAX AND GREG SALOMON, OXYGEN FUNDING
Following the growth of the computer age in the workplace in the 1990s, back in the early 2000s and up to as recently as just 10 years ago, corporations spent money to prevent the loss of their competitive position using company-issued equipment that often was numbered and controlled. Companies used various inventory control style mechanisms to make sure devices were never in the hands of someone who could use them against the company, while outside sales people were given mobile devices (pagers, mobile computers, mobile phones) that were again controlled by the company. This evolved to include the use of notebook computers and expensive mobile phones as technology continued to become more ubiquitous, and despite companies doing their best to maintain control, this evolution has led to kinds of sensitive corporate data being out and about.
Following close behind this trend came the hackers and political miscreants who have dedicated themselves to breaking into just about everything. So, what have companies, particularly those in the financial services sector, done? Let’s review a few scenarios to see how financial services firms are protecting their valuable corporate identities, data and competitive positions.
Let’s say a company’s corporate controller uses strong passwords everywhere, both on their professional and personal devices, including a password manager. Every sensitive login for the business is protected by two-factor authorization, which consists of an added layer of identification when signing into sensitive accounts. Generally, two-factor authorization works as follows: the user signs in, they were then sent a unique log-in code or something similar to their phone or email, after entering the code, they are then allowed into wherever they were looking to go in the first place. They are plenty of different versions of this system, including using tools like Google Authenticator.
Using two-factor authentication is a common arrangement for many companies today, so why are some resistant to it?
Let’s start with the common points by the components of most systems: the SMS service (two-factor), the recovery method (personal phone or email system) and the recovery action (a confirmation code or phone call). SMS service is not secure and is never advertised as such. Hackers can easily compromise anything sent via any SMS service. Personal email systems are similarly insecure. Hackers are very good at corrupting moderately secure business email systems and any personal system is amazingly easy for nearly any level of hacker. In addition, any personal mobile device is vulnerable in too many ways to list in one article. What if your young child who plays games on your mobile phone at night clicks into the wrong thing? What if your phone is stolen? What if your battery suddenly dies with no notice?
How can we do better? First, encryption is very important. The same encryption services needs to be used on business email systems as well as when employees are at home. As a disclaimer, while there are services that are easier to use, any decent encryption system will make email a bit more difficult. So, for home users, it is safer to have a separate work-only area on their computer, potentially by using one login for only work items and a second login for non-work things. For fans of having two of everything to be safe like myself, if possible, it’s even better to use one device for business and one for personal use.
Returning to the two-factor authentication discussion, what if the recovery email address is a business email address that forwards to other email addresses? The positive here is if one person is not available for any reason, someone else can execute. However, this can create a more sinister and potentially more destructive scenario.
Let’s look at a hypothetical example. Your corporate controller is working late at home and is tired. A popup appears and they are so engrossed in the work that they click on the link. While nothing seems to happens and the window closes, a trojan system has just loaded on the computer and is set to install at the next reboot. After finishing work for the night, the controller shuts down the computer, but when they turn it back on in the morning, the startup is a bit slower but not enough to notice. Unbeknownst to the controller, the trojan system installs a keylogger, an email compromise system and a reporting system that sends information back to the hacker’s server. The keylogger simply collects and transmits every key that is typed. The email compromise sends a copy of every email sent or received to the same hacker server.
In the situation outlined above, imagine what the hacker could accumulate in a week, month or quarter? They will see several two-factor authorizations for many systems and may even see the use of a recovery email as well. Armed with email copies, sign-in information and authorization information, it is very easy to imagine how much damage a hacker could create.
How can a company do better, particularly after an event like this? To start, it is important to determine if you were targeted or if it was just an unlucky event.
From there, it is critical to invest in a very strong anti-virus/anti-malware program. I confess I am Windows centric, and although Apple products have different protections, they are not immune to hackers, so much of what is true for Windows is also true for Apple. There are several top systems that can do the job. These systems are quite effective at preventing the scenario above from ever happening. They also protect your web browsing and will alert you to risks you can encounter. For example, I have used Bitdefender for the last several years and have been quite impressed with its capabilities as well as the mild effect on my computer operation.
While limiting costs is always important, you should spend the money for a top system, any included or free systems are probably not going to cut it. Once you select a system, standardize all of the company’s devices on it, and if people are working at home, get them connected to it as well. The weakest link will turn out to be the entry point.
Of course, the two steps outlined above are good enough to fight most of the unlucky cyber-attack events. But what if you are targeted? This is much more common than most people realize. It could be your competitor, a former employee, a disgruntled current employee or anyone else. That is a topic for a future story.