DIY Cybersecurity Stopped Working

This week I met with an acquaintance in a high-profile industry who started a company about five years ago with two people. They’ve grown to 10 employees and recently found a cybercriminal logged into one of their accounts.

How did this happen?

The company’s other owner used the same password for his email as he did across over 20 different websites. One of those sites was hacked. Criminals quickly tried the username/password combination at a popular email provider (not Microsoft or Google), and they got in.

The break-in was discovered when the compromised account began emailing employees asking for sensitive information. One employee who received the emails reported the unusual activity. The compromised account had rules created so that the malicious messages were not visible in the owner’s Sent messages folder.

It’s a good thing one employee was being vigilant. Are all your employees and owners trained and tested on cybersecurity awareness, so they know how to recognize potentially malicious emails and why it’s important to report them?

Aside from employees being cautious, how could this have been prevented?

Multifactor Authentication (MFA) would have helped stop the intruder from logging in. A work-grade password manager would have helped prevent the intruder from discovering this password (and others…). A better antispam filter with advanced business email compromise (BEC) filtering would have helped stop the unusual messages from reaching recipients. Truly preventing the problem takes a layered defense approach because no technology is perfect. Training to make all employees as vigilant as the one recipient who noticed a problem is also important because criminals are growing more sophisticated by the day. 

What didn’t help?

Using an email provider intended for home users and the smallest of small businesses, because it wasn’t compatible with the latest cybersecurity defenses, made the attack easy. Sticking with a startup, DIY approach to IT, even though their company was adding employees and gaining notoriety, made the attack successful. Now the company has a reputation to uphold as well as employees to attract and retain. Clients and employees won’t tolerate an unprofessional electronic work environment for long.

What wouldn’t help?

Using a business-grade email provider like Microsoft 365 doesn’t provide as much protection as you might assume unless security services are professionally enabled and integrated. There are several great email providers with many security controls, but do you know how to enable all those defenses? Often the best security settings are disabled by default, for the sake of making setup easier for DIYers. Will you know what settings to adjust as features are added and criminal techniques evolve? Will you remember all the right options when you’re setting up a new account for your next hire? Unless you have days to devote to reading security journals and watching hours of the right YouTube videos each month, DIY can’t keep pace with modern criminals. DIY also can’t keep up with the scalability a growing organization needs. It’s drastically more expensive to bolt on security after organizations grow or suffer an attack, so it’s best to start planning early and methodically. That said, later is better than never, and now is better than even later. 

Modern criminals, by the way, probably aren’t explicitly targeting your small business or nonprofit organization. They don’t have to, because they use sophisticated automation to discover email accounts, servers, and cloud services with exploitable holes. These criminal tools are readily available. In other words, the fact that you’re small and don’t have top-secret data don’t matter here. The big companies with the most sensitive data have hardened their defenses. You’re now the low-hanging fruit. Criminals get the most bang for their buck by pursuing easy targets. Small organizations are quick, easy money for modern criminals. 

What’s the solution?

There are many, many layers of cybersecurity defenses available. Some are more effective than others. Some cost more than others. Higher costs don’t necessarily correlate with a stronger defense. A professional will educate you on what defenses are available and help you calculate what combination is the best fit for your organization. The professional’s presentation should be factual, without coming across as patronizing, fearmongering, or one-size-fits-all.

When is the last time you talked with an IT professional about your e-mail security? Were you satisfied with the conversation? If you’d like to talk with an expert or get a second option, Contact us today. We love talking with organizations in our region to do what we can to stop the next attack.