Blog Cyber Security Managed Service Provider Ransomware

Real-life Examples of Cybersecurity Nightmares That Could Have Been Avoided

Published by on April 22, 2022
No featured Image

Security and compliance awareness training transforms a company’s greatest security risk  into its greatest defensive asset.

 

 

When companies empower their employees through security awareness training, they gain a host of unbeatable benefits like reduced security costs, increased compliance and a big edge against cyberattacks.

 

These scenarios offer concrete examples of the cyber dangers that organizations are facing today and the consequences of failing to prepare employees to handle them.

 

Scenario 1: Ransomware Nightmare

 

 

A ransomware attack takes place every 11 seconds, and no business is safe. The most likely tool cybercriminals use to launch ransomware attacks is phishing email — and if employees aren’t aware of what to be on the lookout for, it could spell disaster.

 

Here’s how an incident like this might unfold:

 

An employee checks the messages in their email inbox. They open a message that tells them that they need to fill out some important human resources paperwork right away. Conveniently, the form they need to complete is attached to the email.

 

The employee quickly opens the attachment to take care of it. However, they don’t just download a form — they also download ransomware. About 50% of ransomware attacks target businesses with fewer than 100 employees.

 

What might happen if an employee action at my company causes this security failure?

 

The cybercriminals perpetrating this attack might use ransomware to do any number of devastating things:

 

  • Encrypt the victim company’s data, computers, machines, production line or other business systems, paralyzing their operations.
  • Steal data, records, employee information, patient files, formulas, blueprints, financial data, customer lists or other proprietary data.
  • Threaten to damage the victim company by publicizing the attack or releasing information in the stolen data that could cause the victim embarrassment or harm.
  • Demand payment to provide remedies for these problems — and the average ransom demand is $570,000.

 

Possible Outcomes

 

Nothing good awaits a business that fails to defend against a ransomware attack.

Possibility: The attacked organization agrees to pay the ransom in a misguided attempt to resume normal business quickly.

 

  • However, fewer than 60% of companies that pay the ransom when they’ve been hit by a ransomware attack are able to recover even part of their data. In fact, 39% of companies that pay a ransom never see any of their data again.
  • Paying ransoms may be illegal, and cyber insurance is unlikely to cover the ransom payment.
  • Experts estimate that 80% of companies that pay the ransom get hit with a second ransomware attack, often in as little as 12 months of the first.

 

The victim company will most likely experience downtime, potentially losing revenue and business opportunities. Companies impacted by ransomware lose an average of six working days.

 

How does security awareness training help?

 

Trained employees are alert to the danger presented by unexpected messages, even when they’re official sounding. They’re also armed with the skills that they need to take the right actions when faced with a suspicious message, like checking for common red flags that indicate phishing. The knowledge that employees gain from security awareness training improves phishing awareness by an estimated 40%.

 

Scenario 2: BEC Disaster

 

 

Business email compromise (BEC) is the cyberattack that can do the most damage to businesses, with an adjusted loss of approximately $1.8 billion in 2021. BEC typically starts with a phishing message and ends with cybercriminals getting cash or credentials from the victim.

 

Here’s how a BEC incident might unfold for a business:

 

An employee at Company A receives an email that appears to be from their contact at Company B — a service provider for Company A. The email tells the user that they need to pay a legitimate outstanding invoice and warns that their service may be disrupted if they don’t pay it immediately. Company A usually pays Company B via wire transfer. The message advises Company A that Company B’s banking information has changed, and Company A should send payment to this new account. Company A complies, sending a large sum of money to the new account. However, there is no new account for Company B, and Company A has been scammed.

 

What might happen if an employee action at my company causes this security failure?

 

Any or all of the following could happen, and all of these consequences are unpleasant.

 

If you work at Company A: 

  • Your company sends almost always unrecoverable money to cybercriminals via wire transfer, gift card or electronic payment.

 

If you work at Company B: 

  • An employee gives up their password, enabling cybercriminals to log in to your systems.
  • Bad actors obtain a privileged password that allows them to access sensitive systems or data.
  • Cybercriminals take over accounts that enable them to pose as your company to commit other cybercrimes.

 

Possible Outcomes

 

Both companies incur big expenses and bigtime trouble.

 

Company A  

  • An employee transfers large sums of money to the cybercriminals. The median cost of a BEC loss is $764,000.

 

Company B 

  • The cybercriminals are able to snatch credentials that give them access to a privileged user account, like an administrator account, that allows them to deploy ransomware or other malware.
  • The victim company has to undertake an expensive, time-consuming incident response. BEC has the highest cost per incident of any cyberattack.
  • The threat actors are able to use the employee password that they obtained to access data like customer lists, client or patient files, and financial information.
  • The bad guys steal customer PII (Personal Identifiable Information), an element included in 44% of breaches at an average cost of $180 per record.
  • Bad actors are able to take over a legitimate employee email account and use that account to pose as legitimate representatives of the employee’s company to launch new BEC schemes.

 

How does security awareness training help?

 

If you’re Company A, training helps by making employees more vigilant. A security-savvy employee would smell a rat in this scenario. They’d know the best practice here would be to contact Company B via other means (like a phone call) to verify the legitimacy of the request and notify their supervisor or IT team of the issue.

 

If you’re Company B, training helps by teaching employees to be wary of anyone asking for their login credentials. Security awareness training empowers employees with the knowledge that they need to avoid cybercriminal traps like that that can lead to a BEC incident. That’s one reason why security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training.

 

By preventing an employee from getting fooled, Company B also avoids an expensive, stressful incident investigation and cleanup. Even a modest investment in security awareness and training has a 72% chance of significantly reducing the business impact of a cyberattack.

 

Scenario 3: Human Error Calamity

Employees are human, and humans make mistakes. While sometimes these mistakes are nothing more than unfortunate problems, most of the time employees make bad security decisions because they don’t know what they are doing, for example, entering their password on a phishing site or falling for social engineering tricks. Employee mistakes, either through carelessness or simple ignorance, are responsible for more than 60% of security incidents.

 

Here’s how an employee mistake incident like this might unfold for a business:

 

An employee receives an email telling them that they need to change their password for Office 365. The email contains a link to help them do it. The unsuspecting employee clicks on the link, which goes to a web page that looks legitimate to them — it has Microsoft’s logo and everything. The employee then enters their password and chooses a new one. However, the email prompting the password change as well as the web page are fake, and the employee just gave their login credentials to cybercriminals.

 

What might happen if an employee action at my company causes this security failure?

 

Any or all of the following security nightmares could unfold:

  • The bad guys snatch an employee or privileged user’s credentials.
  • Someone sends an unauthorized person a sensitive file.
  • Company systems become infected with malware like ransomware.
  • Cybercriminals gain access to proprietary information or protected data.
  • Bad actors take over an employee user account.

 

Possible Outcomes

 

One employee mistake can kick off a chain of events that ends in a disaster.

 

  • Bad actors use stolen login credentials to deploy ransomware or otherwise harm the victim company.
  • Cybercriminals are able to steal data from the employee’s company.
  • Bad actors access or obtain protected data, resulting in the company incurring a large penalty and the potential loss of a contract.
  • The victim’s employer must now begin an incident investigation and response.

 

How does security awareness training help?

 

  • Security awareness training improves overall password security by as much as 50%.
  • Security awareness training reduces the costs that companies incur because of phishing like lost productivity and incident response by more than 50%.

 

With risks like these around every corner, it’s easy to see why every company needs to make a powerful defense against  the wake of a cyberattack. The Pacific IT Support answers that call. Contact us today or book a discovery session.

Leave a Reply

Your email address will not be published. Required fields are marked *