Criminals once preferred to target large companies, but the threat has spread

Cybercrime continues to evolve

All types of cybercrime are increasing, but a new form of cyberattack that is particularly hard to defend against, called threadjacking, could prove to be the most devastating threat to your business. 

It starts with criminals stealing your email credentials through a standard phishing attack. Instead of using your email to send out another slew of phishing emails, cybercriminals remain hidden in your inbox to learn your patterns. Once they know how you communicate, they will respond to an existing thread with an invoice request or a malicious attachment that has been socially engineered for the recipient to open. Because the communication seems to be coming from you, the recipient is much more likely to do what the criminals ask.

Google and Facebook recently lost $123 million to threadjacking cybercriminals who posed as legitimate vendors using very convincing emails that got the companies to wire vast sums for phantom services. Those costs are in hard dollars that companies are unlikely to ever recover. 

Criminals once preferred targeting large companies, but cybercrime has spread down to the individual employee level. Companies of all sizes must prepare for the threat. This is particularly true for smaller companies with fewer resources dedicated to IT security. 

If even Google and Facebook are getting fooled, as a small business owner, it might feel helpless. It’s not. Through vigilance, training and planning, you can mitigate the cybersecurity threats your business is facing. 

Here are four simple steps to protect your business.

1. Educate. Know the threats and make sure your employees do, too. Regularly train staff on phishing and randomly test them. Avoiding the wrong links or attachments can prevent most incidents. 

2. Plan. No one expects to suffer a cyberattack, but likely every business will face one or more, so it’s best to be prepared.

  •   Build an incident response plan before an attack to allow for rapid recovery and minimal impact. 
  •   Actively monitor platforms like Microsoft Exchange or Office365 to constantly identify possible or attempted breaches.
  •   Enforce an up-to-date password policy. The National Institute of Standards and Technology is a good baseline. 
  •   Tighten controls around payments and other vulnerabilities and advise customers to do the same. Be especially wary of emails suggesting remittance. Require more than email approvals for an added layer of protection.

3. Secure your email system. This applies to all platforms. If you are using Microsoft Exchange or Office365, you have options such as spoofing prevention and conditional access that controls how data can be accessed (both network-based and device-based).

4. Set up additional layers of protection. There’s never too much security. Consider adding shields like multifactor authentication, device management (mobile and PC) and mobile application management to control which devices can access which data under which conditions.

Cybercrime is a threat to everyone interfacing with technology. You can dramatically reduce the risk to your business and mitigate the damage of any attack with the right training, planning and systems. Start today.

Dave Lazor is founder and CEO at Lazorpoint