Cybersecurity is a hot topic these days and something that many rental business owners may not be considering when it comes to their business strategy.
But with the global pandemic forcing more people to work from home and stay more digitally connected than ever before, cyberattacks have skyrocketed and business owners need to be aware and cognizant of better protecting their data.
In fact, the FBI reported that the number of complaints about cyberattacks to their Internet Crime Complaint Center (IC3) has increased to around 3,000 to 4,000 a day. That is equivalent to a 400-percent increase from what they were reporting before COVID, which was around 1,000 complaints daily.
The pandemic has also caused an increase in COVID-19 themed attacks, where cybercriminals get access to a system using phishing or social engineering attacks. Microsoft reported that these attacks have jumped to 20,000 to 30,00 a day in the U.S. alone. And Zohar Pinhasi, a cyber counter-terrorism expert and founder of the cybersecurity firm, MonsterCloud, says ransomware attacks, or the act of cybercriminals holding computer data or network hostage until a ransom is paid, are up 800 percent.
There has never been a better time to make sure that your rental business’ data and cybersecurity practices are up-to-date and running as efficiently as possible. Learning the best ways to protect yourself and your assets, and figuring out your vulnerabilities, is critical.
Insert Varonis, a data security and software provider, who’s on a mission to focus on securing data. As their website states, “Data assets are the most valuable – and vulnerable – components of the global economy. Along with employees, data is at the heart of almost every organization, yet conventional cybersecurity solutions, by themselves, have failed to protect it.”
We spoke with Kilian Englert, a technical marketing manager at Varonis, about cyberattacks, data security, and how rental business owners can be better prepared.
Q: Tell me more about cyberattacks. What are they, what do they do, what do they target?
A: Cyberattacks are criminal and intentional attempts to disrupt a computer network. In most cases, the goal is to steal, encrypt, change, or delete information. Once attackers are in, they're often able to access any files that aren't protected—and for many companies, that's millions of files.
Q: What is phishing?
A: Phishing is when an attacker sends a phony email that looks legitimate in an attempt to deceive a victim into clicking a link to a malicious website or opening a document that runs malware or establishes a connection back to the external attacker as a launch point for a wider attack. It could happen to anyone, and it happens to companies every day.
When phishing emails are targeted and seem plausible, people let their guard down. Unfortunately, phishing emails are the perfect delivery mechanism for malware—and attackers have plenty of options at their disposal. They can hide malicious code in a macro in an Office document. They can link to a website that installs malware on the user's computer. Once they've established themselves, attackers will often lay low to expand within the network. Other times, the malware delivered is ransomware that quickly begins to encrypt every file the employee can touch.
Q: Can you explain the difference between insider threats versus external threats?
A: An insider threat is malicious activity caused by someone within your organization, like an employee or contractor. Insiders can be after sensitive information they can use or sell for personal gain. Sometimes, they will change or delete important information before they leave a company. It's hard to spot an insider intent on doing harm—insiders often do a good job blending in. But if you're not watching what files people are opening, you can miss the early signs of an internal attack. If someone in your company starts to access files they have no business looking at, you might have an insider on your hands.
However, the line between “internal” and “external” threats is blurry. An external threat would be an attacker who does not have legitimate access to an organization’s network or resources; however, once an external attacker compromises an account or machine belonging to an “insider” or a piece of hardware or software connected to an internal network, there is little distinction. The external threat becomes an inside threat with different motivations, but often similar goals – to steal valuable information either to sell outright or as part of an extortion operation directly or as part of a ransomware campaign.
To minimize risk, organizations should reduce access to a least-privilege model. That means restricting access to sensitive information to only those people on a need-to-know basis.
External attackers are bad actors coming from outside your organization. They can be a lone, amateur attacker or a well-funded cybercriminal group. They will find a way inside a company through various methods, like a well-crafted phishing email. Once inside a network, they will slowly "land and expand" and elevate their credentials, essentially giving themselves more access and control. If the attacker's goal is to deploy ransomware, files will be quickly encrypted. It's becoming more common for attackers to exfiltrate data first before deploying ransomware because of the idea that victims will be more likely to pay to get their data back and a promise not to leak the data publicly.
Q: What are the biggest threats in terms of data security to rental business owners?
A: The biggest data security threats to rental business owners are internal and external attackers seeking to steal, encrypt, alter, or delete sensitive information. That information includes the personal identifying information (PII) and payment card information (PII) for customers, information on employees, and other data like financial information. Imagine if you had to run your business with pen and paper with no access to computers or digital files – that's what companies are forced to deal with after they fall victim to ransomware.
Q: What happens if your data is stolen? How does that affect business owners?
A: Customer confidence and trust in your business can take a hit if your data is stolen. Breaches need to be reported to the proper authorities, and in some cases, fines can result. It's beneficial to think ahead and be in the position to show you take cybersecurity seriously—so if something does go wrong, having good detective controls can alert an organization to an attack in progress, and having good preventative controls in place can minimize the damage. Plus, this puts the business in a good position to demonstrate that they took reasonable steps to keep information secure.
Q: What can business owners do to protect their data? How can they be the most proactive regarding data security?
A: Let the principle of least privilege be your guide—limit access to those who need it and no more. Regularly review who has access and validate the business need is still valid – especially for users with access to sensitive data. Use and enforce a password management policy. Ensure your network does not have any "ghost" users, or former employees and older accounts no longer needed. Hackers can brute-force –or essentially try to crack—these accounts, and if no one notices, they can keep trying until they're inside your network. Archive or delete data that you no longer need for your business, especially if it's sensitive.
Q: In terms of software, is it expensive to invest in cybersecurity?
A: There is no one-size-fits-all approach to cybersecurity. Many companies are under-invested in cybersecurity or lack solutions that work together and "talk" to each other. Antivirus and firewalls are no match for today's cybercriminals. Even amateurs can use off-the-shelf hacking tools or deploy ransomware-as-a-service.
The best recommendation is to take a defense-in-depth approach and select solutions that monitor for signs of attack across the environment – the perimeter at ingress and egress points, at the endpoint level, and monitor the data itself. This gives defenders more at-bats to spot attackers as they jump through more hoops to try to get to their target. In addition, there’s no defense like a good offense either, as strong preventative controls like locking data down to least privilege will reduce potential risks as well. The right solution will augment your security team and help ensure you are set up for success if you are hit by ransomware, a malicious insider, or another kind of attack.
Q: How is staffing an issue given the high demand for cybersecurity experts?
A: It's challenging to fill cybersecurity roles given the constant, high demand for experts. So, it's critical to set up the team you have up for success. It is not uncommon for organizations to push people from other disciplines into cybersecurity roles to help satisfy the demand, so it’s important that the solutions in place have enough automation and correlation to empower people new to cybersecurity to be effective without years of in-depth training.
Don't assume a cyberattack won't hit your company or that you aren't interesting to attackers. You need to proactively check for vulnerabilities, educate staff, patch all your systems, and—because attackers are typically after data—restrict access to sensitive information on a need-to-know basis.
Q: What does the future look like for cybersecurity?
A: Two recent attacks hold clues to what the future of cybersecurity looks like. The SolarWinds supply chain attack hit a minimum of 18,000 companies, but the damage was likely far worse. In 2021, Microsoft announced a Zero Day threat—an active but previously unpatched vulnerability—affecting organizations using Exchange on-premises. In both cases, the victim organizations did nothing to set off the attack. Once tools and techniques are used, it's not long until other attackers and groups use and adapt the same methods.