No matter how big or small your business is, if you have an online presence, you’re susceptible to a cyberattack.
That was the warning from Mario Da Silva, corporate risk, safety and security manager with Manitoulin Transport when speaking at the Fleet Safety Council’s annual conference Oct. 1.
“Anyone with a website, doing online services, banking, even IT phone systems – if you have those you are at risk of being breached,” he warned. “It doesn’t matter what size company you are if you’re on the web, using email or online services, you are at risk.”
Often the first sign of a cyberattack comes when a company finds itself locked out of its own network, with demands of a ransomware payment to restore files or access. But Da Silva said by this time it’s too late.
“The hackers have probably been in your system for the last 90 to 120 days or longer,” he said. “You were most likely breached months ago. Only at this time did the hackers feel comfortable they could be successful in getting money.”
But before finding yourself in that situation, Da Silva shared some advice on what companies can do to mitigate the risk of a cyberattack.
Cyberattacks often originate from phishing schemes, in which employees are sent a cleverly disguised, legitimate-looking email containing an infected link. When they click the link, they have installed malware and invited the hacker into their network.
“Educate employees on the risk of clicking links,” Da Silva urged. “It only takes one click for a breach to occur.”
Businesses should restrict wifi access to company equipment or business purposes, he added.
“Have a supplier send in a false invoice to see if that gets through your system.”
Mario Da Silva, Manitoulin Transport
He also suggested companies test their employees by sending out fake phishing emails and seeing who takes the bait, so those individuals can be further trained.
“Have a supplier send in a false invoice to see if that gets through your system,” he added.
Employees also need to be aware of reporting requirements in the event they are breached. Even Da Silva himself was breached a few years ago. He clicked a system update link he thought was legitimate and noticed his computer was slow, as files were being deleted in the background. Because he promptly reported it to IT, they were able to end the attack with minimal losses.
“It’s important for employees to understand reporting such a breach or issues with your systems [quickly] allows your IT department to act a lot quicker,” he said.
Employees should also be sure to protect sensitive paper documents as well. Da Silva suggested having a “clean desk policy” so confidential information is locked away and not left out in plain sight.
Invest in systems
Da Silva said companies must invest in their IT networks and software, so the department can properly monitor them. Was a new user created at 2 a.m.? Is a system admin logging in at odd times and making changes? Are files being copied or breached? These activities should trigger alerts so IT can investigate, he said.
The same holds true when conducting due diligence on an acquisition. You don’t want to inherit their vulnerabilities when the two networks are merged, so Da Silva urged business owners to make cybersecurity a big part of the due diligence process.
And ask vendors and suppliers about their cybersecurity protection initiatives, he added.
“We are so integrated with third-party vendors, it’s important we understand how those systems are accessing our networks and what protections they have against cyberattacks,” Da Silva said.
If a vendor is storing your data in the cloud, ask where the servers are located. If it’s in Canada, they will fall under Canadian law and be required to notify you when a breach has occurred. If the servers are located offshore or in some states, no such legal requirement exists.
Ensure anyone accessing your network has a strong password that’s regularly updated, and use two-factor authentication to give an extra layer of protection, Da Silva advised.
Avoid generic sign-ons. “We’ve all seen it, where the shop or warehousing is using a common login. That needs to change. Each employee needs their own login so we can identify who is accessing your system and prevent a security breach through generic sign-ons,” he said.
He also said employees should use different passwords for each login. That way if a breach occurs in one area, it won’t easily expose others.
Keep software updated
Software updates should be downloaded immediately, and the computer restarted so they actually take effect, Da Silva said. Often those software updates were created to address a potential security weakness, and hackers will often move fast to breach a network before those updates are installed.
“It’s important devices are rebooted to ensure those system patches take effect,” he said. “By not rebooting computers, those patches aren’t being updated and it puts the network at risk. Employees must understand they have to restart their computers.”
Test your system
It’s not cheap, but Da Silva said companies should consider hiring an outside cybersecurity firm to conduct a penetration test.
It will provide a report on security weaknesses so they can be addressed before the bad guys find them.
Have a plan
Taking protective measures will help mitigate the risk of a cyberattack, but won’t guarantee your network’s safety. Have a business continuity plan in place in the even a breach occurs, Da Silva said.
A plan should be event-specific, and individuals should be assigned responsibilities in advance so they know what to do. This should include having a communication plan in place for customers, and even media. What will the message be, how will it be conveyed and who will convey it?
“Test the plan to make sure it’s working,” he added.