When it Comes to Cyber Security, Everyone is Vulnerable

YOUNGSTOWN, Ohio – Although ransomware attacks on major companies often command the headlines, data breaches at small and medium-size businesses are daily events across the country.

So says a panel of specialists who deal regularly with companies that have experienced some type of financial loss related to cyber crime.

More than likely, these companies found themselves the victim of sophisticated email scams where the sender is masked as a vendor, contractor or business associate that seeks payment for services.

“Business email compromise in the U.S. is about 17 times larger than ransomware,” said Andy Jones, CEO of Fortress Security Risk Management, a provider of consulting and managed security services for companies.

“You hear about ransomware more regularly because it’s more spectacular,” he said. “It cripples and entire environment.”

Most cyber criminals elect to pilfer money from companies through emails that masquerade as a legitimate vendor.  The fake email – often so sophisticated that it’s identical to an actual contractor — is generated and sent to the appropriate employee in accounts payable or another department.  The email is usually a routine request for payment for services to an account that is secretly managed by the perpetrator.

“We usually see it start out as a small ask,” Jones said, such as wiring $1,500 to a bogus account. “They try to do it quietly, because they want to come back and steal more of your money.”

Recently, Fortress worked with an organization in the Youngstown area that in the course of 12 months lost $1.5 million over seven transactions, he said.  The company’s chief financial officer uncovered the theft.

Jones; Zachary Taylor, manager and solutions engineer at Rea & Associates Inc.; and Margaret Ludwig, president and northern Ohio property and casualty leader for USI Insurance, took part in the discussion as part of the Youngstown/Warren Regional Chamber’s lunch and learn events held at Vallourec. 

Jones related another case in Brunswick, Ohio, in 2019 in which hackers took control of a church’s email, sent an invoice pretending to be the construction firm doing work there, and requested $1.75 million in payment to what it said was a new bank account.  The church paid the request, only to receive a legitimate email later from the actual construction firm asking why the church had not paid its bills.

“Reach out, use the phone, verify,” Rea & Associate’s Taylor cautions. “That’s the easiest way to make sure you’re protected.”

Jones said his company works closely with law enforcement – especially the Federal Bureau of Investigation — to track down perpetrators, most of them located in foreign countries.

Still, there are cases when these outside agents have accomplices from inside the company, Jones added.

Cyber criminals seek out those with access to information, for example, who might be disgruntled at their employer or boss, Jones said. Often, they cultivate these sources from social media and over time, pitch a scheme where the employee would be paid to provide valuable data so the criminals could breach the system.

After receiving the information, it’s not unusual for the thieves to wait a year before they strike, and after that employee is long gone.

“The fastest-growing segment that I’ve been losing sleep over for the last three years is insider threat,” he said.

Shea MacMillan, vice president of economic development at the Chamber and moderator of the event, cited a statistic that manufacturers were the third highest targets for cyber criminals.

Manufacturers, Taylor noted, are often targeted during the holidays as the busy production season kicks in.  These attacks – often launched from foreign sources, China in particular — are usually intended to wreck production or disrupt the supply chain.

Others, such as sources in Russia, are out to sew political instability through social media, Jones adds. Chinese hackers are also intent on infiltrating systems in order to steal intellectual property and copy these products in China, he said.

Ransomware criminals introduce malware that shuts down a company’s systems.  In order to restore these systems, the company is forced to pay a ransom, usually in digital currency, to restore these systems.

“It’s pure extortion,” said USI’s Ludwig. “Anybody who has data is vulnerable.”

Ludwig added it’s imperative that companies include some type of cyber security measures  — “cyber hygiene” — in their business plan and budget. This includes third party authentication, backup, and other measures intended to keep your systems secure.

Without these measures in place, insurance companies may offer just minimal protection against a major cyber criminal event, she added.

Jones noted that businesses have to change the mindset that they are somehow immune to these threats. 

“You’re going to be victimized,” he said. “You need to develop a relationship with the FBI, your insurance broker, and other sources to mitigate any damage to the business.

Copyright 2022 The Business Journal, Youngstown, Ohio.