As the pace and ways of doing business evolve, so do cyber security risks. A recent discussion with cyber security firm Kobalt.io revealed the top threats businesses face in 2023.
As cyber security incidents have become more prevalent and newsworthy in recent years, businesses of every size have become more aware of the threats they face at the hands of cyber criminals. But with uncertain economic conditions, high employee turnover and changing workplace models, the threats continue to shift, requiring extra diligence and vigilance by business owners.
In a recent conversation, Michael Argast, Co-Founder and CEO of Canadian cyber security firm Kobalt.io shares the top cyber trends to watch out for in 2023 – and how to help protect your business from them.
1. Financial fraud attacks are on the rise
One of the untold stories of 2022 that’s continuing in 2023 is a significant rise in financial fraud attacks. Argast explains, “This is where an attacker is able to get into a customer environment, and by inserting themselves into a business’ email system, they can convince a customer, supplier or vendor to misdirect funds to an illegitimate source.”
He further explains attackers often monitor an email system for lengthy periods, scanning correspondence between suppliers and contractors about financial matters. When a large transfer comes up, they can insert themselves into existing communication threads and convince one of the parties to send funds to the wrong destination.
Top 3 Fraud Scams: Keeping Your Business Safe When Making or Accepting Payments
Relying on an increasingly sophisticated set of technical tools that allow attackers to penetrate the environment, combined with enhanced social engineering tactics, this attack is very effective because their email communications look legitimate. “You have no reason not to trust the request because you’ve trusted 10 – 15 other exchanges in that thread,” explains Argast.
2. Ransomware remains a threat
According to a recent RBC survey, 44 per cent of small business owners think their business might be a victim of cyber crime in the next 12 months, while 32 per cent admit they’re not prepared for a potential cyber attack.
In recent years, Argast and his team have noted changes in ransomware complexity and sophistication and a shift from primarily consumer-focused attacks to business-focused attacks.
“Ransomware incidents have become much more long-term, and criminals are more persistent, waiting until they have a really strong footing in an organization so they can take it down as a whole.” Attackers may lock down systems, steal consumer data and blackmail organizations, which he notes is a shift in behaviour.
On the upside, Argast explains that many businesses have shifted to the cloud, helping to insulate them more from the impact of ransomware. “If you don’t have a lot of servers on-site, if you don’t have a lot of critical data on your laptops, the ability for ransomware to impact your business effectively is dramatically reduced. Organizations are benefitting from that shift to the cloud organically,” he says. He adds that top-tier cloud service providers tend to be very good at securing their systems.
3. Remote work creates vulnerability
While workers across Canada have begun returning to the physical workplace, remote and hybrid work models are still very common. These may cause gaps in a business’ cyber security protections.
“One of the biggest challenges for businesses is that it’s harder for you to validate what’s going on from a communications perspective,” says Argast. “You can’t walk across the hall and talk to your financial officer. You’ve got to trust digital communication.”
Without the opportunity to have face-to-face conversations about financial matters, he recommends that businesses assume that email is a compromised communication chain. Therefore, validating through other channels is vital, particularly when instructions might cause financial harm.
4. A multi-channel world creates risk and opportunity
According to the CRTC, 83 per cent of phishing messages were sent by text over three months last year. As businesses begin relying on various channels — between Slack messages, emails, texts and social media — employees get overloaded with messages. “When we’re dealing with a volume of messages coming at us every day from diverse channels, it’s hard to be as consistently vigilant as when we were just concerned about email scams,” says Argast.
However, the benefit of a multi-channel environment is that if an employee receives an email they’re not sure about, they can text, call or Slack the sender to validate it. “It’s less likely that an attacker has compromised both your email and messaging systems.”
5. Government regulations force action
Until recent years, Canada and the United States have lagged behind Europe regarding government regulations to protect private data. The General Data Protection Regulation (GDPR), which came into force in 2018, is a regulation that harmonizes national data privacy laws throughout the EU and enhances the protection of all EU resident’s personal data. “The standards from the GDPR are being brought to North America as we speak,” says Argast.
He adds that some rights and protections exist today that did not exist a couple of years ago. “So it’s really important that businesses familiarize themselves with them and find ways to bring their systems and processes into compliance because the fines can be up to 5 per cent of your annual revenue.”
Businesses can find a listing of privacy compliance regulatory standards on the Kobalt.io website.
Listen to a recent podcast with Kobalt.io’s Michael Argast and RBC’s Chief Information Security Officer Adam Evans (read re-cap)
How to protect your business: Start with these 2 things
“Security is often seen as a bit of a ‘nice to have’ rather than a ‘must have,’” Argast says — a reality especially true when economic conditions strain businesses. With a general tightening of budgets across Canada, many companies are postponing investments in security. Some are also laying off staff, which stretches existing resources.
That being said, there are a couple of core and critical things that businesses can do to stay safe and secure. After all, cyber security threats don’t slow down — attackers don’t care about poor business conditions.
Recognizing that businesses have limited time and money to implement cyber security systems, Argast urges owners to do two things, if nothing else:
- Complete a proper risk assessment. “Understand the threats that face your business and how to protect yourself against those threats,” he says. He adds that a good risk assessment will allow your business to understand the specific steps you can take, which don’t need to cost much.
Kobalt’s Security Gap Assessment can help identify your vulnerabilities and next steps.
- Educate your staff. “User education is very inexpensive but impactful. As organizations change staff, it’s vital to make sure both new staff and existing staff have a baseline of good training and awareness around cyber security best practices.”
Kobalt can help your business educate your staff through a continuous training model that can significantly reduce the risk of them falling victim to an attack. Take a look at their user education programs.
While businesses can’t stop all cyber security attacks from happening, being aware of current threats and being prepared for the ones that are most likely to impact your business can help keep your company, your employees and your customers safe. The right advice and support can also help you stay up-to-date on the threat landscape and recovery-ready at all times.
RBC business banking clients have access to special discounts on Kobalt.io solutions. Learn more or contact your Account Manager.
Diane Amato is a Toronto-based freelance writer who loves to talk about finances, travel and technology.