Thinking before the attack, not about the aftermath

By Zack Schuler, founder, and CEO of NINJIO

When most people think about cybercrime, they think about headlines: data breaches that affect hundreds of millions of customers, crippling financial losses for companies, and outraged lawmakers interrogating CEOs in front of the cameras. In other words, they think about the aftermath of cyber attacks instead of the attacks to come.

While this is understandable for the average consumer, it’s far less defensible for the companies that are at ever-greater risk of being hacked. Too many companies are reactive instead of proactive about cybersecurity – according to PwC’s 2018 Global State of Information Security Survey, less than half of respondents have adopted preventive security measures such as vulnerability and threat assessments. Similarly, the second-most-cited vulnerability in the 2018-2019 EY Global Information Security Survey is “outdated security controls.”

Meanwhile, the number of attacks continues to rise: Since 2014, the FBI’s Internet Crime Complaint Center (IC3) has received more than 1.5 million complaints, and the number has increased every year (from under 270,000 in 2014 to more than 350,000 in 2018). Losses over this four-year period totaled almost $7.5 billion. Other data reflect these findings – according to the 2019 Cost of Cybercrime Study by Accenture and the Ponemon Institute, the average number of security breaches increased from 130 in 2017 to 145 in 2018, while the average cost of each incident jumped from $11.7 million to $13 million.

This glimpse at the state of cybersecurity in the United States isn’t promising – even though attacks are becoming more frequent and more costly, companies’ cybersecurity platforms aren’t keeping pace. Despite the statistics, it often takes a crisis to shift companies into a security-oriented mindset. EY Global reports that 76 percent of organizations “increased their cybersecurity budget after a serious breach” – yet another sign that they didn’t take cybersecurity seriously until it was too late.

While preemptive cybersecurity measures like threat assessments and up-to-date security technology can help companies fend off attacks, what if companies could prevent hackers from selecting them as targets in the first place? What if, instead of merely decreasing the likelihood that an attack will be successful or mitigating its consequences, they could decrease their susceptibility to hacking altogether?

Consider the following scenario: The CEO of a company is an active social media user who shares a whole lot of personal material online – family updates, travel plans, political opinions, daily habits, and many other forms of identifying information. While this may seem innocuous (it’s not as if he’s posting bank account information or confidential data), he’s giving hackers a huge stockpile of information that they can exploit to infiltrate his company.

For example, let’s say the CEO posts about an upcoming conference where he’ll be interacting with many potential clients and keeping up with his daily responsibilities remotely. This is the perfect time for hackers to launch a business email compromise (BEC) attack – a form of social engineering in which cybercriminals impersonate someone in a position of authority at a company to steal sensitive information.

Little does the CEO know, his email account has been compromised and hackers have been monitoring his social media profiles for months, giving them abundant information to craft a believable fake email. They send the CTO a message that goes something like this:

“Hey, Jan – IBM is interested in working with us on that infosec project we discussed a few months ago! I just chatted with the CISO and we have a call set for the Tuesday after I get back. I’d like to show him the prospectus before I leave, but I forgot my login info. and locked me out of our system. Could you send updated credentials ASAP? We’re meeting in an hour.”

All the information hackers needed to create such a realistic scam email could be found on social media, from a Facebook picture of the CEO with IBM’s CISO at the conference to a LinkedIn post about how long the conference would last to updates on Twitter about the company’s latest information security initiatives. This isn’t to say the CEO’s posts were a serious case of security malpractice – social media can be a great way to generate interest in your company, engage with customers, and share important information. But even heavy social media users can limit their risk by making their personal accounts private, only sharing intimate details about their lives with people they know, rejecting strange friend requests and connections, never posting sensitive content, and considering the security implications of everything they post.

Cybersecurity professionals have to recognize that even the most seemingly inconsequential disclosures can lead to multi-million-dollar data breaches, and social engineering hacks like BEC are often what precede these breaches. The 2018 FBI IC3 Internet Crime Report found that BEC was by far the costliest type of cybercrime last year, causing almost $1.3 billion in losses. This means the best way to prevent the most harmful form of hacking is to have educated employees who can spot attempts to manipulate them and who always verify the identity of anyone requesting sensitive information.

Your first and last line of defense against social engineering hacks like BEC is the development of a culture of security. Just think of how many billions of dollars and how much consumer trust could have been saved if even a fraction of the companies hit with BEC schemes last year had better-trained employees. In fact, if those employees had adopted safer social media habits, hackers may not have even tried to attack their companies in the first place.

About the Author

Zack Schuler is the founder and CEO of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a “security awareness mindset,” in which online safety becomes part of who someone is – almost an element of their DNA. This mentality is what gives people the ability and the confidence to protect themselves, their families, and their organizations. Prior to launching NINJIO, Zack was the founder and CEO of the IT services company Cal Net Technology Group. Over the course of fifteen years, what started as a solo-preneur venture based from the trunk of his car, turned into a multi-million dollar business. Cal Net was acquired by Olympic Valley Capital in 2013.

In addition to his entrepreneurial pursuits, Zack is a member of the Forbes Technology Council and is on the board of governors for Opportunity International, an organization that provides microfinance loans, savings, insurance, and training to over 14.3 million people who are working their way out of poverty in the developing world.