When planning for business continuity during a disaster, companies shouldn’t forget about the potential impacts of a cyber threat or attack.
That was the message of Joshua Shreve, a cybersecurity specialist with the Coast Guard’s Sector Ohio Valley, shared during Marine Safety Unit Paducah’s Industry Day on October 18.
In his maritime cybersecurity presentation, Shreve began by providing recent cyber-attack statistics, which found that 66 percent of organizations reported being hit by ransomware in the last year and that almost 75 percent of companies surveyed said a ransomware attack would be a “death blow.” Sixty percent of the company representatives surveyed said they felt their organization might be hit with a ransomware attack within the next 12 months.
When ransomware attacks do take place, they can be costly, Shreve said. He reported that the average cost of such an attack is $2 million.
To increase cybersecurity, Shreve suggested “reducing the blast radius” by following a principle that limits online access to employees who need it.
“Don’t give people access to things they don’t need to access just because it’s easier to check a box to give everybody access to it,” he said.
Shreve also suggested requiring authorization on every device every time it is used, whether that is through a smartcard or biometric scanning such as a fingerprint or facial recognition.
Shreve made a quick but memorable quip. “Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers. I’ll add to that. Don’t leave it out on the counter.”
He said he was amazed how many times he visited a business and found that people stored their passwords on a piece of paper under the keyboard.
Passwords should be long, complex and unique, he said.
Only 38 percent of people use unique passwords for all their accounts, Shreve said, adding that it is much safer to use a commercially available password manager, which has been found to be easier to use, more efficient and more secure. Additionally, password managers work across all devices and operating systems and can warn you when a password might have been compromised or if a website is potentially a malicious one.
Phishing, in which someone sends a false email or text message claiming that the receiver needs to respond by providing passwords, PINs or personal or financial information, is increasingly common.
“Is it poorly written?” Shreve asked when evaluating such a message. “That’s a telltale sign.”
Such messages often don’t have a personalized message but may use something like “Hello, dear,” he said.
Shreve said it is important not to rely on making sure the apparent sender’s address is valid when evaluating a message’s validity, nor on calling the phone number listed in the email message, which may also have been falsified.
“I would implore you, if you’re not sure who the contact is, or even if you are, use another form of contact,” Shreve said.
Additionally, it is important to verify the validity of invoices before paying them, which provides access to your financial information, he said.
Look at website URL addresses carefully. Some malicious sites look very similar to legitimate ones. An example is one that used a lowercase r and n next to each other to mimic an m in a popular online shopping website, Shreve said.
Employees who are the victims of phishing attempts should report it to their supervisors and not just delete the message, Shreve said.
“Other people may have received the email,” he said. “Quick reporting can prevent an attack.”
He also warned that it was important not to forward the email to any workers except for information technology (IT) staff since people do not always pay close attention and could become victims. If a phishing email is forwarded to coworkers, the sender should at least remove the links first, Shreve said.
Blocking the person sending a phishing attempt can also be a good step, he said.
Automated software updates help prevent attacks from hackers, Shreve said. Additionally, when downloading a driver or a security patch, always go straight to the source and never download from other websites.
Maintenance is also important, he said. Performing backups and automatically updating software should be part of a company’s normal IT processes.
“Maintaining your software is really important,” Shreve said. “A lot of people overlook that.”