A single compromised business email can expose sensitive client information — are you prepared?
Cybersecurity and data privacy are essential, particularly for IT staffing and engineering staffing firms. These firms face frequent cyber threats due to their interactions with clients, potential employees, and other stakeholders. How can they protect themselves?
This topic was discussed during a recent TechServe Alliance webinar featuring Ben Hunter, Principal at UHY LLP, Certified Public Accountants, in which he delved into the importance of cybersecurity for staffing firms and shared practical solutions to defend against these threats so that you can keep your company and client data secure.
The Biggest Cyber Threats Facing Your Business
Ransomware
What is ransomware? Ransomware is a major threat to businesses today. This harmful software can halt operations by encrypting data and demanding a ransom.
For smaller companies, an attack like this can be disastrous. Ben Hunter shares an example of a veterinary clinic that was shut down for a month due to ransomware. This shows the severe impact on small businesses.
“Larger companies are able to recover… If you’re a smaller company, your customers don’t have time to wait for you to come back online,” Hunter notes.
Imagine being unable to access your files and data (not a pretty picture)! It’s a nightmare for any business, but especially for the smaller ones. They often lack the resources to bounce back quickly. And ransomware doesn’t just stop work – it can also damage reputations and customer trust.
What are the recovery options and methods for ransomware?
- Paying the Ransom: Not advised due to the uncertainty of data recovery. Even if you pay, there’s no guarantee all your data will be restored. Cyber gangs aim for smooth transactions to encourage payment, but their decryption tools often fail.
- Restoring from Backups: The best approach. To be able to restore your data, you need to make regular backups in three places: the original location, cloud storage, and a physical device. Test your backups regularly. How often should you do this? It depends on your business’s risk tolerance.
Additional Risks: Double Dipping
Ransomware gangs might also threaten to expose or sell stolen data if the ransom is not paid. This is known as “double dipping.” To counter this, you need to have tools in place to monitor and prevent data exfiltration. After an attack, conducting a forensic analysis helps you understand the breach and what data was exposed.
Business Email Compromise (BEC)
What is BEC? BEC includes scams like CEO fraud, account hacking, fake invoices, lawyer impersonation, and data theft.
Hunter notes, “Business Email Compromise (BEC) is one of the most expensive and pervasive cyber crimes out there. Billions of dollars are lost every year.”
So how do you protect your company from BEC? To reduce BEC risks, protect your email accounts and use two-factor authentication (2FA). Additionally, use a second method (phone call) to confirm any financial transactions or changes before acting on the email.
Important Cybersecurity Statistics for IT Staffing and Engineering Staffing Firms
- 82% of people use the same passwords on multiple sites. This is a huge security risk.
- 98% of companies say they have security awareness programs. Yet, 90% of cyber attacks are phishing-based.
- It usually takes 250 days to discover a breach from compromised credentials.
- Every month, 1.5 million new phishing websites are created.
- 60% of companies that suffer a ransomware attack go bankrupt within a year.
- Ransomware and Business Email Compromise (BEC) cause billions in losses each year.
- BEC scams use various tactics such as CEO fraud, account compromise, false invoice schemes, attorney impersonation, and data theft.
Proactive Measures for Data Privacy and Cybersecurity
You have to know what measures to take and how to protect sensitive data if you want to keep your company’s data safe. Here’s what you can do to prevent cybersecurity issues from arising in the first place:
1. Data Classification and Flow Mapping
Hunter poses a critical question: “If we don’t know what we are protecting, how can we protect it? If we don’t know where our data is, how can we put the tools in the right place?”
Organizations must understand what data they are protecting and where it resides. Creating a data classification policy and mapping data flow helps pinpoint and secure sensitive information.
2. The Importance of Cybersecurity Training and Awareness
Regular cybersecurity training for everyone, from CEOs to interns, is essential. This employee training should happen frequently to keep cybersecurity top of mind.
Teach employees to spot signs of phishing attacks and attempts, and how to follow secure procedures (like verifying bank account changes via phone).
3. Investment in Cybersecurity
Effective security protocols, like anti-malware and antivirus software, are essential. Upgrading to higher security versions of software (for example, Microsoft 365 S5) offers better protection.
Cyber insurance is another important strategy, but it requires accurate documentation of your security measures.
“Cyber insurance companies are getting better at managing their risk. They will verify that all cybersecurity measures you claimed were in place before paying any claims,” Hunter explains.
4. System Updates and Patching
Regular updates and patching of systems are vital to defend against vulnerabilities. Remember the WannaCry virus? This ransomware attack in 2017 exploited unpatched systems worldwide by encrypting data and demanding ransom payments It showed why timely updates are so important.
“The vast majority of viruses and ransomware take advantage of the neglect of IT organizations and our businesses. Regular vulnerability scanning and patching can mitigate these risks effectively,” Hunter shares.
The Role of AI in Cybersecurity
Artificial intelligence (AI) has a dual role in cybersecurity.
On one side, cybercriminals use AI to craft sophisticated phishing attempts and deepfake videos. These technologies can create realistic yet fake content, which poses big challenges for cybersecurity.
For example, deepfake videos can be part of kidnapping schemes, which make it look like a victim is in distress when they are not (by using images and even voices pulled from the victim’s social media).
AI can also improve phishing emails and make them more believable and harder to spot.
On the flip side, AI is a strong defense tool. It helps spot unusual data movements and flags phishing emails. AI-driven pattern recognition software can catch phishing emails before they reach users. This adds an extra layer of protection.
Hunter explains that “AI is using pattern recognition to quarantine phishing emails before they even get to you.”
Developing a Cybersecurity Culture in IT Staffing and Engineering Staffing Firms
Building a solid cybersecurity culture begins with leadership. Leaders must actively engage and show their dedication to cybersecurity. Their involvement sets the tone for everyone. This is why leaders need to bring energy to cybersecurity planning and training sessions.
You also want to create a supportive environment. What does that look like?
Hunter notes, “Training needs to happen often with a praise versus punishment system. You want to acknowledge when somebody deletes an email and not punish people because they had a bad day and clicked on something.”
How Do You Respond and Recover from an Incident?
What action should you take when something happens? Ben Hunter advises, “In case of a cyber incident, the first step is to call the cyber insurance company and then start analyzing the situation.”
Blocking internet access can halt data exfiltration. A detailed incident response plan with assigned roles and backups guarantees a swift response
Regularly review and update your incident response plans. These plans should be accessible even if systems are compromised. That means: Print this plan and keep it close to you and your employees. As Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.”
Ben Hunter summarizes the importance of proactive measures: “Investing in cybersecurity measures is an essential safeguard against an evolving landscape.”
By implementing these strategies, IT staffing and engineering staffing firms can better protect their operations, clients, and employees from evolving cyber threats.
If you would like to view the full webinar, you can do it here.