On December 13, 2020, the U.S. Department of Homeland Security warned users of SolarWinds that hackers had compromised the system. A system that is used by hundreds of thousands of entities including several federal agencies, every one of the top ten telecommunications companies, every big five accounting firm, 85 percent of the Fortune 500, and a wide range of municipalities across the United States.
“It’s been said on a scale of one to ten this is probably an eleven for the type of attack, the magnitude and the potential damage it’s done,” said cybersecurity analyst Mark Wright1, the Chief Security Adviser at California-based cybersecurity startup Sentinel One. Purported to be a significant and organized attempt by a nation-state, the current probe has found that U.S. Treasury and Commerce departments were believed to have been impacted, and the culprits had the ability to monitor internal emails2.
At the time of publication, few know exactly who was compromised, how much information fell into the hands of hackers, and how long the fallout from this will last.
Everyone is at Risk—But Some Hacks Are Easier Than Others
Potentially one of the most well-organized data breaches ever, the resources needed to complete this breach were immense. For small and mid-sized businesses, it rarely takes the full power of a state actor. More often, companies have lax policies and practices that open them up to simple, low effort attacks.
A statement that’s doubly true in 2020, a time when we’re still working from home and relying on emails, video chats, remote access, and many applications considered unfamiliar by both the user and the security team.
From phishing emails and other social engineering ploys to poorly managed passwords, there are many ways you can leave your company open for attack. To address this, business and IT leaders need to know what kind of threats exist, where the threats are coming from, how to address them, and what to do in the event of a data breach.
Common Threats to Small and Mid-Sized Businesses
As everything about your business gets more thoroughly connected, the number of doors you need to lock rises exponentially. A breach into one system not only exposes that system, but potentially everything it’s connected to. From devices to applications, anywhere that a door can be left open is a vector for attack.
This means that cybersecurity is no longer only an IT issue but an issue that connects with manufacturing, production, sales, logistics and other business operations that are enabled by digital technologies. In their Top 50 Security Threats eBook3, Splunk discussed a variety of attack vectors and tactics used, including but not limited to the following:
- Account Takeover: Attackers pose as a customer, user, or employee and gains access to the account and changes the information to take control of an account.
- Application Access Token: Instead of taking over a password, attackers may use application access tokens to bypass the typical authentication process.
- Bill Fraud: Similar to invoice fraud, attackers send fraudulent but authentic-looking bills instructing customers to transfer funds from their accounts. Numbers are often small enough to go through the approval process.
- Brute Force Attack: Attackers enter passwords until they get the information right. This often starts with the most commonly used passwords.
- Cloud Access Management: An example where one flaw exposes others. Once the attacker exploits the vulnerability and gains a foothold in your cloud environment, they can leverage privileges to access other remote entry points.
- Cross Site Scripting: XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
- Denial of Service/Distributed Denial of Service: The goal of a DoS or DDoS attack is to flood or crash a targeted network. These attacks cause extensive damage to the victim, due to security and cleanup costs, loss of reputation, loss of revenue and customer attrition.
- Drive by Download Attack: A drive-by download refers to the unintentional download of malicious code onto a computer or mobile device that exposes users to different types of threats.
- IoT Threats: Hackers and malicious nation-states can exploit vulnerabilities in connected IoT devices with sophisticated malware. They can then use this to gain access to other systems or steal intellectual property.
- Man in the Middle Attacks: A man-in-the-middle (MITM) attack is a type of eavesdropping cyberattack where a malicious actor inserts him/herself between two systems and intercepts data.
- Network Sniffing: This is the real-time capturing, monitoring and analysis of data flowing within a network. Comparable to wiretapping, attackers can pick up unencrypted data.
- Pass the Hash: PtH allows an attacker to authenticate a user’s password without the plaintext password.
- Phishing and Spearphishing: Uses a familiar email to convince a user to open a malicious link or file. Often leads to a familiar-looking site used to steal your information.
- Ransomware: Ransomware occurs when an infected host encrypts a user’s or network’s data. Attackers will either use this to blackmail users or threaten to delete data without payment.
- SQL Injection: SQL injection is a type of injection attack used to manipulate or destroy databases using malicious SQL statements. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations, and more.
- Spyware: A type of malware used to gather information including activity, passwords, or keystrokes.
- Typosquatting: Attackers buy similar domains (e.g. fasebook) and wait for someone to incorrectly enter information. Used heavily by tech support scammers.
- Zero Day Attacks: Using the unknown unknowns, attackers will find a vulnerability and exploit it before the provider has access to it. 2021 likely will see a zero-day exploit each day.
The Path to Prevention Starts with Understanding
Now that you know how you can be attacked, it pays to ask how to protect yourself. Throughout the years, the Acadia team has put out great advice on the necessary steps to protect your business from threats, all of which you can view below.
- Cybersecurity Terms to Know4: In order to take steps to protect your business, it’s essential to become familiar with the most common forms of cyber-attack and understand key terminology. From authentication to website defacing scams, we discuss some of the most important terms to know in our blog.
- What You Should Know about Social Engineering Fraud5: One of the oldest tricks in the book, social engineering has been in the toolbox of cons for millennia. But in the modern era, this often has a thief impersonating a vendor, client, employee or partner of your organization to get critical information.
- Three Steps to Protecting Your Business from Privacy Breaches6: Get to know your responsibility, develop a response plan, and know what you need to do during and after you respond. We explore three critical steps to protect yourself.
- What to Know about BYOD7: Though written in an era when people brought devices to the office, you need to take the opposite approach in 2020, now that devices are at home. Best practices are best practices, so understanding the steps to protect yourself still matters in WFH.
- Six Must-Know Cybersecurity Tips for Small Businesses8: Understanding your risk requires you to understand your business. In our article on the six things that every business leader should know about protecting their business, we look at security, monitoring, preparedness, and more.
Six Questions to Ask about Cyber Insurance
Understanding your risks is nearly as important as understanding your risk management. Cyber and data breach insurance can protect you in the event that something does happen, but getting the most out of a policy requires you to understand how it works. PwC recommends9 you ask the following questions to understand your cybersecurity policy maturity.
- Do We Have a Policy? Too often, according to PwC, executives and IT are rarely on the same page when it comes to cyber-insurance. Frequently, the assumption is that an existing property damage or business continuity policy will cover an incident even if the policy is “silent” on cybersecurity issues. A dedicated cyber and data breach policy addresses this.
- Who is in Charge? In addition to knowing whether or not you have a policy, you have to know who’s in charge of it. In the event of an attack, you should know who is the point person, who is filing the claim, and who will see the claim through processing.
- Do We Have the Right Coverage? Depending on your industry, you may be at a higher risk than others. For medical companies, banks, utilities, technology firms, and the like, you may not have enough. Understanding how much you need will require you to quantify your risk to understand whether you have the right amount for your risk profile.
- What Kind of Coverage Do We Have? A critical question if you haven’t looked at your policy recently, it’s vital to know if your policy is tailored to handle today’s threats. PwC notes that the worst time to ask whether your policy covers ransomware is after you’ve been infected. Ask if data restoration is covered, as well as things like root cause investigations, communications, and potential exclusions (i.e. a nation-state attack, which might be written off as an act of war).
- Does the Provider Understand Our Industry and Its Risks? You might have worked with your insurer for decades. This may be a problem. It pays to know if the insurer is well versed in cyber insurance and whether they are knowledgeable about the risks that a breach may have on your industry.
- Can Our Policy Grow and Change with Us? Attack vectors change. For example, ransomware wasn’t as persistent five years ago, meaning that policies may have not evolved with the threat.
Review Your Policy and Discuss Your Needs: Get to Know Acadia
Risks change and policies need to change with them. If you’re looking to understand whether you’re protected from risks in the future, you need to speak with an expert on Data Breach and Cyber Liability.
Acadia Insurance provides a comprehensive insurance solution to help business owners protect against most major exposures their business might face. When it comes to Privacy Breach & Cyber Liability Insurance, Acadia can set you up with a plan built to protect you, with coverage including:
- Incidence Response Plan — Access to a customizable data breach incident response plan template, essential to minimizing the impact and potential fallout of a data breach
- Crisis Management — Time-saving professional service to guide you in handling a breach
- Notification Assistance — Assistance in preparing notification to impacted individuals in accordance with regulatory requirements
- Media Relations Consulting — Public relations assistance to help restore your business’ reputation
With empowered teams positioned locally, Acadia Insurance provides its customers with a high level of hands-on service and a deep understanding of their insurance needs. Get to know more about our Privacy Breach & Cyber Liability Coverage for Commercial Policyholders10 and the other products we offer11. When you’re ready to make the move, contact one of our agents today12!
Acadia Insurance is pleased to share this material with its customers. Please note, however, that nothing in this document should be construed as legal advice or the provision of professional consulting services. This material is for general informational purposes only, and while reasonable care has been utilized in compiling this information, no warranty or representation is made as to accuracy or completeness.