We’ve reached another inflection point in the ongoing evolution of cybersecurity.
For years and years IT service providers like us have been talking about how pivotal employee education is to your organization’s security. This defensive measure has become so fundamental that we include it as part and parcel of our ongoing service package.
More recently we had been strongly recommending our clients implement defensive measures like multi-factor authentication and advanced endpoint protection as the then-current “baseline” for their organization. This came in response to malicious actors finding their way around both complex passwords and traditional anti-virus software.
As was bound to happen, this baseline is now waning in effectiveness as cyber criminals continue to advance their tactics.
To help paint the picture we’ll cover two developments we’ve seen across mid-sized organizations and law firms—and what this means for your own cybersecurity strategy.
How Tactics Have Changed
What we find most relevant to you are these two examples of hacker behavior that might surprise you:
1 – They can gain access to “secured” accounts.
We are seeing an increase in scams that use document and video conferencing links that appear fully legitimate, prompt you to sign in to your account, and have you authenticate with your chosen method (text, for example).
When you do, the malicious actor is able to hijack that authenticated session and essentially bypass multi-factor authentication (MFA). The technical explanation of this can be found in this article from Microsoft.
MFA is still a critical protective measure, but having it enforced for your accounts does not make them untouchable.
2 – They may use access to patiently plan financial fraud.
Whether the malicious actor gains access to your email account through the method above or another, they may not launch their actual attack for several months.
Rather than simply stealing information, the hacker will watch your email communications to identify where largest transactions are taking place and who is involved in those exchanges.
They will bide their time for the next billing cycle and—using email rules to manipulate your inbox—intercept legitimate email chains to re-route payments to accounts of their choosing. And they’ll keep doing so—often until a vendor of yours reaches out about missed payments. Recovering this money is extremely rare.
What to Do About It
Ultimately, this means that our concept of baseline measures needs to change, and that any control falling below that minimum threshold needs to be treated as a requirement, not an option.
To get started:
- Audit your security. This does not have to include advanced penetration testing but must include a comprehensive review of the systems in use and related controls.
- Get a prioritized gap analysis. The “prioritized” piece is important — you’ll likely end up with a list of improvements each with their own investments and timelines which can be overwhelming without guidance to help you organize.
- Budget for and schedule recurring security checks. As hackers continue to surprise us, we must continue to keep pace with our defense and response capabilities. As much as we’d like to say having a reliable IT partner eliminates the need for dedicated security initiatives, that is not the case.
To get specific:
One control in particular that is closely tied to the examples we’ve used here is a licensing add-on for Microsoft users: their Enterprise Mobility + Security E5 license includes intelligent risk evaluation during authentication that can help catch these “adversary-in-the-middle” attacks.
As always, please reinforce vigilance with your team as your people can make or break your security posture.
If you’re with a law firm and want a quick, free evaluation of how your overall IT strategy aligns with best practices, take our self-assessment and get your IT Maturity Score in 6 minutes or less.