Desktop computers left logged in over the weekend. Laptops and flash drives left unattended on desks. Sticky notes with email and system logins stuck to the walls of a cubicle.
They’re common sights in many workplaces, and likely don’t raise an eyebrow when encountered day to day. But office workers should rethink what may seem like a harmless convenience, said Eric M. Shorr, president of Secure Future Tech Solutions in Warwick.
“Accidental exposure happens all the time,” Shorr said. “People leave laptops in cars, trunks, on their desks, even. I’ve seen, from secure offices, people leave their laptops over the weekend, and they can go missing. … A laptop can go in a bag very quickly and it can be gone.”
And with that lost laptop, login or flash drive goes sensitive information that hackers can use to compromise companies and target other employees.
With cybercrime continuously on the rise, hackers can be anywhere, Shorr said. In Rhode Island alone, 1,115 people reported being victims of internet crimes in 2021, costing more than $13 million, according to the FBI’s Internet Crime Complaint Center at ic3.gov. At the national level, the database has logged 2.6 million complaints over the past five years, totaling $18.8 billion in losses.
Eric Shorr and Lisa A. Shorr, vice president at Secure Tech Solutions, highlighted these statistics, common methods of cybercriminals and ways that companies and individuals can protect themselves against cyberattacks in a “How to Think Like a Hacker” workshop during Providence Business News’ 10th annual Cybersecurity Summit on Oct. 6 at the Crowne Plaza Providence-Warwick.
While the FBI statistics on cybercrimes may seem alarming, the highlighted statistics may only scratch the surface of the problem, Eric Shorr said.
These numbers “could realistically be double, triple, even greater,” as many victims of cybercrimes are afraid to report the incidents, fearing consequences and laws they would have to comply with, he said.
Cybercrimes can take a variety of forms, ranging from attacks relying on trickery, such as phishing or “spoofing” emails posing as a trusted source, to complex ransomware attacks, where a hacker infects a computer with malicious software that encrypts data, then demands a ransom for the information’s return. On average, hackers demanded around $570,000 for a ransomware payment in 2021, according to cybersecurity industry data.
While large corporations may come to mind as cybercrime targets, the Shorrs said, businesses of all sizes can fall victim to hackers.
In a real-life example, Lisa Shorr said, one employee at an unspecified company received a spoofed email that appeared to come from a manager. The employee went ahead with instructions to purchase multiple CVS Health Corp. gift cards. That simple deception ultimately cost $1,200.
Employers should ensure their workers are educated on the existence of these scams, the Shorrs said, and other common methods such as phishing, where individuals are asked to give their login information to a hacker through a seemingly reputable site, sometimes accessed through an email link.
When in doubt, always verify a request through a human interaction with a trusted individual, she said, and take an extra moment to type in a web address, rather than following an email link.
“At the end of the day, pick up a phone and make a call, go directly to the website, log in properly,” she said. “Don’t touch any of these emails that come into your inbox.”
And individuals should have a healthy degree of doubt, she added.
“If you walk away with anything today, please walk away with a mindset of vigilance,” Lisa Shorr said. “I want everyone to be on the lookout for everything. Don’t just assume everything is OK.”
But even with this added vigilance, companies and individuals can still become victims of cybercrimes, the Shorrs said.
And if one employee is hacked, Eric Shorr said, act as if this breach extends to everyone in the company.
“Assume everyone is compromised,” he said. “Change the password for everyone, and implement, if you don’t have it already, two-factor authentication.”
This method, which prompts an employee to verify a log-in attempt through a second platform, such as an app or with a text message code, is a simple but powerful tool to curb hacking attempts, he added.
Companies should also reach out to their cyber insurance provider, he said, and report the crime. While many businesses are afraid to report cybercrimes, investigation methods have changed over the years, he said. While authorities used to conduct a criminal investigation, confiscate computers and bar companies from paying ransoms, businesses now have more options on how to proceed after a cyberattack.
And while the Shorrs broadly recommend not paying a ransom, resources are available for companies that decide it’s a necessary step.
“It’s no one’s first choice to pay a ransom,” Eric Shorr said. “But if that’s what needs to happen, you can get help with that.”
