May 28, 2024 - Cyberattacks are Evolving – Creating New Headaches for Businesses.

Cybercriminals are a lot of things – but they’re certainly not set in their ways. These bad actors continually observe how organizations are protecting against threats – or not. As soon as robust defenses against attacks become widespread, they pivot. If you haven’t taken steps to protect your organization, you’ve made it even easier for them.

Even if you’ve prepared in the past, it’s a good idea to assess your cyber risk level today. If you’ve been thinking about taking those steps, but aren’t sure how to go about it, now is the time to act. The unending cycle of new risks and new protections makes keeping your organization safe more complex than ever before. Experts can help immeasurably.

Ransomware attacks increase - and evolve.

The consistent growth in ransomware attacks is a significant threat to businesses of all types. In 2023, organizations all around the world detected 317.59 million ransomware attempts, with 43 percent of those targeted at companies in the US. 

The damage these attacks can cause ranges from financial losses to irreparable reputational damage – and worse. According to a survey by Cybereason, 66 percent of victimized organizations experienced a significant loss of revenue following an attack, and seven percent paid ransoms exceeding $1.4 million. (Compare that to the first known ransomware attack in 1989, whose victims were instructed to send $189 to a P.O. box in Panama. It’s almost cute.)

To compound the quandary, paying up doesn’t necessarily mean you’re safe. According to the Cybereason report, less than half (47 percent) of victims got their systems and data back uncorrupted. And nearly 80 percent of organizations that paid a ransom were breached again, with many of them facing an even higher ransom demand.

Ransomware attackers are also finding new ways to extort their victims. Traditional techniques involved encrypting the target’s data and charging a ransom for the decryption key. Now, cybercriminals frequently threaten to release or sell the data if the ransom isn’t paid, in a so-called “double extortion” scheme. They may also threaten to publish an organization’s data if law enforcement is notified.

Social engineering is the hottest trend in town.

Cybercriminals have clearly learned that manipulating people into providing access to a network or valuable information can be easier than hacking in. The goal of this approach, known as social engineering, is to influence, manipulate, or trick people into sharing sensitive information, like passwords, Social Security numbers, or bank account information.

Small and mid-sized businesses are an ideal target for these types of attacks. One study found that, on average, an employee of a small business with fewer than 100 employees will experience 350% more social engineering attacks than an employee at a larger enterprise.

Social engineering hacks are often targeted at lower-level employees, such as receptionists and security personnel. Executive assistants are also a popular target, as they have access to executive accounts and calendars, and often can send messages to an entire organization on behalf of executives.

Beyond the "Nigerian prince" email. 

By today’s standards, the old-fashioned email scams we’re all familiar with look almost quaint. Cybercriminals continue to evolve, developing an ever-changing range of creative attacks. Here are a few of the most common.

• Phishing: A very real-looking, but very fraudulent email that appears to be from a trusted sender tricks the recipient into sharing information or clicking a link that installs malware or connects to a fake website.
• Spear phishing: This type of phishing attack is targeted to a specific individual or organization, an includes information and detail that adds to the veneer of authenticity, making it more likely to succeed.
• Vishing: A type of spoken phishing, these attacks use phone or voice messaging to gather desirable information from the target.
• Whaling: These attacks are targeted at high-level employees, like a CFO or CEO.
• Scareware: The target is tricked into thinking their computer is compromised or infected, and the attacker offers what seems to be assistance, but actually gets the target to do something damaging, such as downloading malware or providing network access.
• Quid pro quo: the hacker calls multiple phone numbers within an organization offering to provide assistance, such as tech support. Eventually, they reach someone with a real tech issue, who they pretend to help. During the process, the hacker can have the target enter commands into the network, collect password information, provide remote access to the network, and more.

An ounce of prevention - and then some. 

There are steps an organization can take to guard against this new generation of attacks.

• Penetration testing that specifically tests for new cybercrime techniques helps spotlight vulnerabilities and identify employees requiring additional training.
• Ongoing security awareness training can ensure employees know what the latest types of attacks look like, what to watch out for, password best practices, and more.
• Secure email and web gateways can scan incoming email for malicious links, reducing the chances of an employee clicking on one.
• Staying up to date with all software and firmware patches, as well as antivirus and antimalware software, can help address new threats.
• Implementing two-factor authentication for all key accounts adds a vital layer of protection.
• Enabling even more advanced authentication measures for all staff handling sensitive information helps keep the most critical data safer.

You don't have to go it alone. 

With new types of attacks arising constantly, many organizations struggle to maintain the levels and types of protection they need. It’s simply not practical for most small to mid-sized business to maintain a full-time IT staff dedicated to keeping pace with threats, ensuring employees have the training and information they need, and managing compliance demands. (According to Glassdoor, the average IT support specialist salary in the US ranges from $48,000 to $75,000 per year, depending on location and other specifics.)

In many cases, the most cost-effective choice may be to bring an external expert on board. The right provider will take the time to develop a deep understanding of your business, offer the detailed expertise and guidance that suits your needs now, and ensure you’re protected from threats as they evolve.

CompassMSP offers an expansive range of services designed to keep small and mid-sized businesses protected in an ever-changing environment of risk. From comprehensive, ongoing support to assistance with your own IT initiatives, and all points in between, we’re able to provide the level and type of service that ensures your technology is aligned with your objectives, and you’re always protected against today’s threats.

To learn more about how CompassMSP can help, please contact us here, or call 833-444-2677.