Protecting Your Company from a Cyber Attack Starts with Understanding the Risks

​​​It’s estimated that 55 percent of organizations experienced a cyber attack in the past year, many of which went undetected.

Not only are the threats of cyber attacks rising, but so is the level of disruption and damage they cause. In addition to direct financial losses, the adverse impacts on an organization’s reputation and operations can be even more severe and long lasting.

And it’s not just large corporations being targeted.

“If you think it can’t happen to your organization, think twice,” cautions Ron Borsholm, B.C. Leader, Cyber Security Services for MNP. “Successful attacks have been made on small businesses, retail chains, post-secondary educational institutions, not-for-profit organizations and even minor hockey associations. Hackers don’t discriminate.”

According to Borsholm, spear phishing and ransomware are two of the most common cyber threats.

Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. In one recent case, an organization lost significant money when the accounts payable clerk was targeted and asked by email to change a vendor’s banking information. The criminals then sent fake invoices to the organization, which were paid using the altered banking information.

In another case, the chief financial officer at a not-for-profit received an email that looked like it was from a bank the organization used. It asked her to update her user ID and password and in the rush of a busy day she quickly complied. A few days later, it was discovered that hundreds of thousands of dollars had been stolen and wired out of their account.

Ransomware is a type of malware that prevents users from accessing their computer system unless a ransom is paid. In most cases, users either click an attachment in an email or a link on a webpage which leads to their systems being compromised.

Borsholm recalls a small liquor store that recently fell victim to such ransomware. While the company was only asked for a ransom of $500 in bitcoin (which they paid), it cost more than 10 times the ransom amount to fully restore their computers to a secure state. To add insult to injury, the perpetrator sent the business owner an unofficial receipt thanking them for their “involuntary purchase.”

“Many of these organizations did not have sufficient internal controls in place such as policies, procedures and training to prevent this from happening,” says Borsholm. “Other organizations put controls in place, but then fail to test them to ensure they are working correctly.”

For example, in another ransomware attack in B.C. the company discovered their computer backups had not been working.

“Without any backups, the company was essentially left crippled with a total loss of over six months of operational and financial information until the ransom was paid,” says Borsholm.

Organizations who accept credit card payments face another concern. Under their merchant agreement, they are required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS).

“The PCI-DSS is a standard which requires a basic level of security and a lot of organizations aren’t aware of it,” Ron explains. “As a result, they don’t follow common security practices, which leads to potential credit card breaches.”

Peter Guo has been working in IT security and audit since 1999 and is MNP’s B.C. Leader for Enterprise Risk Services. He says the first step in protecting your organization is to fully understand your specific situation.

“Do you know what your critical data is and whether that type of data is being targeted?” Do you understand the strengths and weaknesses of your technology? What are the threats and what internal controls do you currently have in place?”

Guo recommends a Maturity and Threat Analysis as a good starting point. This analysis provides the information you need to prioritize your risks and appropriately protect your organization. Education across the organization is also critical through a formal and recurring awareness campaign.

“Good cyber security isn’t just a matter of putting protective technology in place,” Peter emphasizes. “Threats and technologies constantly shift and people need to be constantly reminded to stay vigilant. As organizations change, people enter new roles and have access to different systems, information and data, they need to know what’s expected of them when it comes to cyber security.”

In our increasingly connected world, cyber attacks are happening with increasing frequency and present very real risk for businesses of all sizes. If you’re not sure about your organization’s ability to withstand one, or respond effectively when it happens, take action today to avoid a crisis and protect your company’s assets.

MNP offers a wide range of cyber security services including Maturity and Threat Analysis, PCI Compliance consulting and audits, network vulnerability and penetration testing, and internal control assessments.