Putting an increased focus on the latest cybersecurity threats

Participating in the cybersecurity forum were (from left) moderator Steven Brunner of Bankwell Financial Group, Special Agent Mike Shove of the U.S. Secret Service, Larry Sezebni of Apex Technology Services, Al Alper of Cyberguard 360, Allen Santana of Advanced Computer Technologies and Jay Parisi, Partner of Aegis Technology Partners. Photo by Justin McGown.

The data storage and cybersecurity company Datto Inc. hosted a recent forum organized by the Norwalk Chamber of Commerce on the topic of data breaches.

Datto’s Vice President of Business Development Mike DePalma set the tone for the event by sharing information from an upcoming report that found most U.S. cybercrime victims are small and medium-sized businesses (SMBs), and the aggregated value cybercriminals can extract globally from these targets would make them the world’s 9th largest economy.

“That’s how much money is out there,” DePalma said. “And in our findings only three out of 10 businesses are highly concerned about it. It’ll be a banner year for the criminals, and they are focusing on the small to medium-size business community.”

According to DePalma, SMBs are preferred targets for cybercriminals because the lack of concern leads to vulnerabilities they can exploit, and they are the most likely to pay off ransomware attacks since they are less likely to have complete backups or to be able to afford downtime for a system restore.

All of the forum’s panelists agreed that the two most important steps that SMBs can take are implementing multifactor authentication (MFA) and ensuring that staff are properly trained to protect against phishing and “spear phishing” attacks.

MFA is a system which requires a user to log in to a separate app installed on a smartphone or other device whenever they attempt to log in to a network or program. Such security measures make it significantly more difficult for hackers to access systems ”” and while not impregnable, this solution can increase security with minimal disruptions for workers or systems.

Despite the advantages of MFA, Allen Santana, a senior security consultant with Norwalk-based Advanced Computer Technologies, warned of a new attack vector.

“There’s this new one, ‘MFA Fatigue’ where they’re just continuously brute forcing logons and sending push notifications an annoyance until you hit approve,” he said, adding the best countermeasure according to him is properly trained staff.

Spear phishing targets a specific individual, unlike phishing attacks, which seek as many targets as possible. By trawling social media accounts for relevant information, spoofing phone numbers and email addresses, and otherwise leveraging publicly available data, the spear phishing miscreants can make convincing messages that seem trustworthy.

“If we look back probably 10, 15 years ago malicious actors were just sending out random emails to thousands and thousands of people hoping somebody would click on an email that would gain them some type of access to something” said Larry Sezebni, founding partner and chief operating officer at Norwalk-based Apex Technology Services. “And that’s kind of what that landscape had looked like. But since then, it has become far more sophisticated.”

Mike Shove, a special agent for the U.S. Secret Service, explained his own family members were targeted by a sophisticated attack.

“You’ll get a cold call from your bank and it’s really the bad guys,” Shove recounted. “So, someone from my family got a call and thinks that it’s the bank they’re talking to, and then they had a second bad guy who was pretending to be that family member on another phone call with the bank trying to use the credit card.”

The scammers then had the bank send a confirmation code to Shove’s family members and asked them to read it out.

Jay Parisi, a partner with Norwalk-based Aegis Technology Partners, cautioned that the “from” address in an email can be suspect, and safety requires being able to tell if the body of an email seems legitimate.

“Just like a regular letter that you can mail you can write anything in the upper left-hand box. You can make it look like it came from the White House,” he said. “Otherwise, you have to implement certain tools in order to track and see if it’s being spoofed.”

Al Alper of Wilton-based CyberGuard 360 informed the forum audience that “over 95% of all breaches are caused by people. So, when we look at the cybersecurity landscape, I can give you a thousand points to touch on, how it intersects, but ultimately it intersects with the people of your organization and it’s imperative that leaders look at their organization through that lens.”

Alper also advised that cybersecurity should be viewed as an HR matter. Vulnerabilities in the organization need to be tested for and addressed, and an employee who continually falls for phishing attacks may imperil the entire organization, he added.