Ric Opal, principal at BDO Digital, explains to Digital Journal readers the key cybersecurity lessons to be learned for retailers from this year’s Amazon Prime Day. He also explains how to implement these aspects for the holiday season.
This includes phishing, smishing and vishing. Opal notes that humans are fallible, which makes social engineering successful, especially when there’s a feeling of urgency, such as short-lived sales. Stopping phishing, smishing and vishing attacks before they reach a person is a critical cybersecurity strategy.
Digital Journal: Has COVID-19 seen an increase in fraud?
Ric Opal: Yes—not only have we seen an increase in fraud, but there has also been a corresponding increase in the sophistication of the attacks. Attacks are more timely, more targeted and fundamentally relentless. I’ve been getting calls daily from cyber criminals purporting to be the IRS or Apple Support, and I’m not the only one. These threats inundate us not only online, but via text and phone call. As we draw closer to the election, we can expect these attacks to become even more pervasive.
DJ: What are the most common forms that fraud takes?
Opal: Phishing continues to be a favorite tool for cyber criminals. While phishing attacks used to have typos and poor grammar, they are growing more sophisticated, making it more difficult to tell a phishing attack from a valid email.
DJ: Where does cybercrime typically come from?
Opal: Cybercrime can come from a variety of sources, depending on who is being targeted. When it comes to businesses and individuals within businesses, organized crime is often the perpetrator behind cyber attacks. While some attacks come from inside the U.S., data from global cloud providers shows that many attacks originate from outside the U.S. Nation-states engage in cybercrime, but typically their target is other nation-states rather than private businesses.
Cyber criminals use data and information collected from users to better target their attacks. When a person accepts cookies on a website, for example, it makes their buying patterns known, arming cyber criminals with data that can better inform their attack on that person. Many of the weapons in a cyber criminal’s arsenal comes from a person’s willingness to trust their devices and share information indiscriminately.
Cybercrime can also come from inside the organization. You can put up every wall and defense to keep your organization secure from external threats, but that won’t protect you from internal bad actors. Understanding and combating insider risk can be a difficult task, but it’s a crucial component of good cybersecurity.
DJ: What are the main impacts on businesses?
Opal: Without question, the greatest consequence of a cyber attack to a business is brand damage. Nobody wants 60 Minutes or The Wall Street Journal reporting on their company’s hack. This is the ultimate cost for brands—damage to brand reputation can result in loss of clients and revenue. The consequences are even more dire at the present moment. It’s hard enough dealing with the pandemic and resulting recession—let’s not make it harder with an avoidable cyber attack.
DJ: What processes can businesses adopt to counteract these threats?
Opal: When designing processes to counteract cyber threats, the first step is to understand what it is you need to protect. What is important to one business may not be important to the next, and what is important to you may not be important to hackers. Think about what information hackers would benefit most from stealing. Is it credit card information? Protected Health Information? Make sure you understand what exactly is at risk so you know where to focus your cyber strategy.
The second step is to set up multi-factor authentication (MFA). MFA, when properly implemented, should be seamless. It’s a simple way to increase your cybersecurity.
The third step is to come up with a basic roadmap to get your organization to a zero-trust passwordless environment. Passwordless security is becoming more widespread as organizations seek to move away from passwords, which can be cracked with relative ease. Facial recognition and retinal scans, by contrast, are much more difficult to hack. Arriving at this passwordless reality isn’t easy, of course—it takes time, money and equipment. When constructing your roadmap, think about what equipment and expertise you’ll need to make a passwordless environment a reality. Focus your new security measures on the highest-risk individuals—individuals with access to sensitive information—during the first wave of implementation.
DJ: How important is it that employees are ‘cyber aware’?
Opal: It is, of course, critically important that employees are cyber aware. However, it isn’t just employees that need to be thinking about this. Everyone needs to be cyber aware. I have my own children watch cyber safety training. Cybersecurity isn’t just a business concern—it touches every part of our lives, especially as digital connectivity continues to grow.