The crux and the core of Ron Borsholm's presentation at the WFCA this February was that whole organizations can be shut down by cyber criminals and ransomed for their website content. Borsholm says business exposure and vulnerability to cybercrime is a modern fact of life.
"The criminals are more organized, firewalls becoming irrelevant," and social engineering is the new crime wave. Borsholm says most breaches occur at large companies. "But this is changing. Small companies and organizations are now being targeted."
The reason is the lax nature of cybersecurity in small business, "Security is not prevalent in small business, less than 50 percent. Big security exposures prevail."
Cybersecurity has had to adapt to major shifts like Covid-19, like everything else, "Work at home has changed the security environment." The awareness of threats is not being reinforced by peers in a close-knit work environment. "People are falling for phishing attacks on their emails. Covid themes are attractive bait." Covid 19 email threats are now in the millions. Borsholm says it was highest in April 2020 but continues unabated.
For those who don't know the difference between the front end and back end of the system you are part of, Borsholm pointed out there are differences in levels of encryption the further you go in the net.
"Dark Web is part of the web, surface web, deep web, and dark web. A dark web Tor browser is invisible and anonymous due to massive encryption. At this level of information technology you find things like online wet market, guns and drugs for sale, child porn, this criminal activity is operating in the dark web. Bitcoin exchanges on places like the now-defunct Silk Road dark website allowed the dark web to flourish."
But even on the surface things are only so rosy. "Social Engineering has become the biggest threat. Masquerading as someone or something else," says Borsholm. Emails are the main traffic for cybercriminals. "The old rule of 'Don't click the attachment' is now only 9 percent of phishing. Now it's click here on any number of enticements, links in emails, 68 percent. Malware is delivered most often by clicking a link followed by data entry to obtain confidential information."
Borsholm warns, "Legitimate looking requests abound. Themes include UPS Shipping Notices, or Starbucks bonuses, or Deactivation of old OneDrive account. Phishing is more sophisticated toward targeting specific people in an organization." Cybercrime involves research departments.
"Half of an organization's employees will be fooled by phishing attacks, through all ranks right to the top executive and board level." Borsholm calls Phishing a psychological attack, "So look at the sender, watch for vague or blank greetings, watch for emotional and urgent demands, and watch out for requests. Always be wary of attachments."
Ransomware is another method on the malware click-bait side of invasion, and it developed out of criminals researching company personnel and deciding who to target for a data breach.
Borsholm says prevention has become more effective in achieving a reduction in the number of ransomware payments made. Even when the company's data is restored, however, "the stolen data winds up in the Dark Web." Credit card and identity theft is rampant on the dark web.
Malware has become commonplace and less sophisticated perpetrators are succeeding in deploying the threat. Complete business shutdowns happen until the ransomware demands are met. Payables, receivables, bank breaches, tax filing reports gone. Days and weeks are involved in recovery of encrypted data. Lost money, sales, reports, and no ability to proceed. Employees are laid off while data recovery takes place.
This level of crime has the same effects as being robbed at gunpoint, fear, sleeplessness, and trauma-related effects. "There is a large health impact from the threats and actions of cybercriminals."
Borsholm says there are important questions to ask about the security of a business enterprise. "Are service providers equipped to deal with backup and recovery?" Is there a culture of prevention enacted across the board with employees, and management, all levels. "Training is the key to stopping ransomware, malware, phishing attacks from succeeding. All staff play a role in preventing attacks from getting through.
"Personalized training has to be designed to meet organizational needs. Human resources departments face common attack, second only to the top where the money and decisions are made. HR opens the door to multiple attacks."
A company has to reduce threats, "Don't expect to eliminate, but stay current with threats out there. Internal vulnerability threats can be designed. This is called Offensive Security. Have an instant response plan. If it's going to happen it calls for court intervention, and immediate communications with employees or clients. You may wise to engage a cybersecurity firm (on a retainer basis) to execute an incident response plan."
Cybersecurity is relevant depending on your situation, and cyberinsurance might be necessary. if you are insured, you have to carefully document spending on the recovery process because being insured means being compliant with the policy you purchased.
In today's world, a smooth operating malware deployment might involve a longer game, like leaving a malware in place for an attack at a later date. Social media has a role in distributing criminal software, as social media has so many platforms. Then there's text messages on phones, and compromised websites (where the criminals gain credit card access).
Borsholm says phishing is now done by organized crime groups, involving researchers who create business portfolios, which are sent to the ransomware department of the crime organization, then front-end people make the attacks, right down to operating call-in centres. "It's very organized, and IT security is struggling because of manpower. They face more bad guys, with fewer good guys."
This was the WFCA's 40th convention and the first to go virtual. The numbers in attendance at the WFCA annual conference (held on a Hopin virtual conference forum) were in the hundreds through the three days of Feb. 10 to 12th, 2021.
Part of the housekeeping of the organization involved presentation of a new Policies and Procedure Manual, as was discussed on the main stage by Stephen Hammond, "These are the principles that we hold." The organization of silviculturalists, nurseries operators, and tree planting companies adheres to the standards of the policy manual. "This is an objective thing," says Hammond.
The boots on the ground work in a tough environment, and they need guidelines. Jordan Tesiuk, a Forestry Safety Advocate for silviculture, speaking in this forum, says, "many of the rules in our proposal are universal, there's a clear set of rules to follow. Rights, respect and boundaries are the same to make people fit, correct behaviour and move forward," to stay on the job and keep the workplace harmonious.
Organizers say the code of principles must be applied to make changes, that 'just be nice and respectful to one another,' doesn't wash.
Further discussion within the board running the organization will take place before a revised policy and procedures manual is finished before planting season this year.