It’s not a question of if your organization is going to be hit by a cyberattack, but when, according to an FBI agent specializing in white collar crime.
Eric Burns, a supervisory special agent with the FBI office in Milwaukee, was the keynote speaker Tuesday at the Cybersecurity Symposium, which was presented by Insight Publications and held at the Red Lion Hotel Paper Valley in Appleton.
“Your digital life is your life. It’s all about securing your information so you don’t become a victim of an attack,” Burns said. “Eighty percent of businesses nationwide have been hacked, so it’s definitely something you need to prepare for.”
In addition to Burns’ presentation, the event included four educational breakout sessions presented by CliftonLarsonAllen, US Bank, Heartland Business Systems and M3 Insurance designed to provide organizations with additional information on how to keep their data and systems safe from attacks.
Burns said while investing in strong, secure technical infrastructure is important, so is investing in employees and making sure they understand the risks.
“If you don’t educate your employees, hackers will find a way in,” he said. “They will keep at it until they find a weak leak and get their way in.”
Once hackers get in an organization’s computer network, they can employ a whole host of tactics, from posing as the CEO and requesting money transfers into bogus accounts owned by the hackers to locking down files and holding them ransom.
Burns said businesses lost $1.2 billion last year in email compromise schemes, which means a hacker poses as someone else to get an employee to transfer money to an account he or she controls. Hackers usually get in through phishing schemes, he said.
“The hacker gets an employee to click on an attachment or link, and it downloads something onto the company’s network,” Burns said. “Another common attack is using an email similar to the CEO’s and then posing as him or her to get that worker to do something. For example, if your company is Heartland, they may create an email that uses a capital I instead of the lowercase l, so it looks like Heartland, but it really isn’t.”
Burns said hackers do a lot of research before launching an attack on a business. They can search a CEO’s social media accounts and use information gleaned to make their fraudulent emails sound more authentic. For example, Burns said a hacker could go to a CEO’s Facebook page and see he coaches his daughter’s soccer team. The hacker could then send what looks like an email from the CEO to someone in the company asking for a wire transfer and add that he’ll be hard to reach because he’s coaching his daughter’s game.
“It sounds real and legit. It’s all of those little details that they find out and then use to their advantage,” Burns said. “They do their research, so you need to do your own research to stay ahead.”
Another frequent attack is posing as a vendor and having an organization send money to a bogus account. By the time the mistake has been uncovered, the money is long gone, Burns said.
Ransomware attacks are also growing in number, Burns said. In those cases, a hacker finds a way into the network and holds data and information hostage until a fee is paid — usually in cryptocurrency, Burns said.
“Think of all the devices connected to your network — we had one case where someone got in a company and then hid in the ‘smart’ thermostat until the dust had settled and then launched an attack,” he said. “At the FBI, we don’t use wireless keyboards or mice since that’s a way people can get in.”
Burns also provided these suggestions as ways organizations can protect themselves from cyberattacks:
- Develop an intrusion response plan so employees know what to do if the company is faced with a cyberattack
- Create a so-called Red Team that sets up examples and tests of cyberattacks for employees to help them better identify potential pitfalls
- Use an email authorization service
- Use tools that constantly scan the network for malware and viruses
- Change all default passwords, and don’t make passwords easy for people to guess
- Use multifactor authentication
- Limit administrative access to the network
- Monitor and review logs
“Every week, we get 20 to 25 calls related to internet scams in the Milwaukee FBI office,” Burns said. “Cybersecurity is a growing problem, which is why we think education is so important.”
If an organization is really concerned about a cyberattack, Burns said they can always do what the Kremlin did: Go out and buy some typewriters and use those to record sensitive information. Without data files, cyberattacks won’t work.