…But Protecting Your Company is a Year-Round Responsibility
by Craig Mertens
Every October, we celebrate a dark world with scary, dangerous monsters. We call October Cybersecurity Awareness Month, and during this month, we shine a spotlight on hackers, scammers, phishers, and cybercriminals of all kinds. Every year, the horror show gets scarier, and the attacks more damaging than the year before.
The digital world, according to data, is becoming increasingly dangerous. From 2023 to 2024, Microsoft saw a 23% increase in daily security events (or “signals”) across its customer base and is currently tracking over 1,500 “advanced persistent threat” APT actors, including hundreds of nation-state-sponsored hacking groups who blur the lines between espionage and crime.
This past September, the U.S. Secret Service investigated a series of “swatting calls,” false reports of violence at the homes of Democrat and Republican elected officials and judges. During the investigation, they uncovered a series of hidden “SIM farms” in New York, Connecticut, and New Jersey. These systems were operating out of rented apartments and empty office spaces and consisted of almost 100,000 SIM cards driven by hundreds of servers. Transnational criminal organizations and nation-state actors were using these SIM farms to conduct covert communications, sow violence and mistrust, and carry out massive fraud and scam operations. At peak traffic, this set of servers alone could send 30 million text messages per minute, letting anyone in the world launder their communications through a US gateway.
These technologies are just the tip of the iceberg. Across southeast Asia, the United Nations has estimated hundreds of thousands of enslaved persons are locked away in criminal prison camps run by organized crime groups and overseen by local warlords or corrupt government officials. In these compounds, these people are compelled to carry out a vast array of online fraud schemes, including “pig butchering” scams, in which individuals’ and companies’ finances are methodically dismantled and stolen.
Meanwhile, the explosion of AI technology that has commodified “voice cloning” and even high-quality deepfaked video, is making it easier than ever for fraudsters to impersonate friends, family members, and co-workers. Cybercrime is an extremely big business: a multi-trillion-dollar global industry rivaling even worldwide manufacturing in terms of size.
Fraud is Now Cheap and Profitable
Small and medium-sized businesses (SMBs) are easy targets in a world filled with online dangers. According to a new survey sponsored by Mastercard, 46% of SMBs have dealt with cyberattacks such as phishing, ransomware, and information-stealing malware, and up to 10% of SMBs have suffered attacks that led to bankruptcy or closure.
Costs of data breaches average about $6 million per incident in the financial industry, and financial businesses are hardest-hit by ransomware, malware attacks, phishing, and business email compromises (BECs). In these email attacks, hackers impersonate customers and company executives to convince employees to release funds and change wire information. Almost a third of all phishing attacks are directed at the financial industry, while BECs, generally considered the most expensive cyberfraud attacks, have cumulatively cost companies up to $50 billion in direct losses.
SMBs have multiple points of vulnerability. They typically lack dedicated cybersecurity personnel, have business processes that involve small numbers of people and limited formal controls, and rarely devote the resources necessary to implement far-reaching and consistently-updated security technologies and plans. Often, SMB leaders hope they can “keep their heads down” and avoid becoming targets — but in a world where cybercriminals can infinitely scale automated attacks and AI-powered frauds, no one is too large to be safe and no one is too small to be unnoticed.
One illustrative example comes from an SMB with roughly $100 million/year revenue in a specialized market. The company has a robust social media presence, and its marketing department had made sure that the company’s social accounts were kept up-to-date. In this case, the CEO was giving a presentation at a major industry conference, and both the corporate accounts and his own personal social media accounts mentioned where he was, including photos at the event. While this was going on, the company CFO got a voicemail from the CEO, saying that he had connected with a smaller competitor in the market that was interested in being acquired, and he needed a multi-million-dollar funds transfer as earnest money for the deal.
The voicemail, of course, was faked; but the voice was real, or at least as real as AI voice cloning could make it. The hackers knew who the company’s leadership was thanks to open-source research on LinkedIn and Facebook, where they were, and which other companies at the event might represent plausible takeover targets. To make matters worse, the sense of urgency was palpable enough that only internal finance and technical controls caught what would have been a very costly and potentially fatal mistake.
While this seems like one of the more extreme examples of fraud, these kinds of attacks occur all the time, particularly in industries such as finance and inside corporate AR/AP cycles. A common attack is for a hacker to get inside a funds transfer loop by conducting a “man in the middle” BEC, often registering “lookalike” domains (for example, replacing letters like “L” with a “1” — e.g., “national” becomes “nationa1”) to convince one side or the other that they’re the legitimate point of contact. Once a hacker controls communications with one side of the transaction, it is a simple matter to compromise the other side as well, letting them orchestrate wire transfer frauds that can total tens of millions of dollars.
The Vulnerability of SaaS
Another point of vulnerability for SMBs is the ubiquitous software-as-a-service (SaaS) platforms nearly all companies use. Business email, accounting, corporate operations, and technology are routinely outsourced to third parties. As a result, the compromise of a single online service can result in a cascade of losses.
In 2023, a Chinese state hacking group managed to compromise Microsoft’s online email service, which gave them access to virtually every organization using Microsoft’s hosted Outlook email — including unclassified State Department emails. More recently, this year a “zero day” exploit against on-premises Microsoft SharePoint servers led to compromises of DHS and the National Nuclear Security Administration, while recent compromises of secure file-transfer software affected companies transferring extremely sensitive corporate financial data to their auditors. In short, you are as vulnerable as the weakest link in your software and digital supply chain, many of which are top-priority targets for APTs around the world.
With this kind of risk, companies should act decisively to protect themselves technically, financially, and legally. This is particularly true as regulatory requirements become more onerous. For example, the Payment Card Industry security standards group (generally referred to as “PCI-DSS” for its data security standards) has updated their requirements for anyone handling, even indirectly, credit card data, requiring that all companies engage outside parties to conduct automated vulnerability scans of corporate networks. In the US, a new cybersecurity incident and breach notification law, CIRICA, is due to go into effect in 2026; it will mandate new federal notification rules for covered industries, including the financial sector. Increasingly, the financial threat to companies from cybercrime covers not only direct fraud costs, but losses from derivative legal claims and potential regulatory fines.
What Can a Company Do to Protect Themselves?
Although losses and regulatory requirements are the “stick,” governments and insurance companies are looking to provide “carrots” for companies to improve their cyber-security postures.
In Texas, a new law (SB 2610) indemnifies SMBs with fewer than 250 employees against punitive damages in civil cases arising from cybersecurity breaches, but only if the company maintains a compliant cybersecurity program. For companies with fewer than 100 employees, this can be satisfied with a program that implements the requirements of the Center for Internet Security’s IG1 safeguards, a set of 56 specific controls (accessible at https://learn.cisecurity.org).
For larger companies, the law requires a program in compliance with more sophisticated programs, such as NIST’s Controlled but Unclassified Information (CUI) protection program, their federal agency or FedRAMP cloud cybersecurity programs, and healthcare’s HITRUST framework. While these programs can be complex to implement and keep up to date, the benefit of limiting legal damages in the event of a customer-affecting breach makes this worthwhile if you operate in jurisdictions that afford such protections. We, at Signivault, recommend consulting legal counsel to understand the specific requirements of these laws, and how they can protect you in the event of litigation.
You should review your cybersecurity policies to know exactly what’s covered and how limits are calculated. Also, insurance companies are seeking to reduce their risk exposure by helping proactively defend their customers via tools and training. For example, insurance provider Chubb, facing growing cybersecurity claims in the US, now offers enhanced cybersecurity training and applications to its policyholders along with a partnership with the security assessment and penetration-testing firm NetSPI to offer services at a reduced rate.
For small companies, a number of universities conduct “cybersecurity clinics” that match businesses with students majoring in cybersecurity and computer science, who can provide assessments and assistance in implementing technical controls. (Many of these can be found at CISA’s tools and services guide, at https://www.cisa.gov/resources-tools/services). This can be a cost-effective approach to creating a security baseline for smaller companies.
One of the most complex and time-consuming efforts after a cybersecurity incident is determining exactly what happened. Working with your IT team or an outside vendor to consolidate software logging and event tracing, giving your security team a “single pane of glass” for everything happening inside your systems, can be an invaluable step that also helps you analyze your overall technical risk.
Likewise, get ahead of potential fraud by instituting processes that require your employees to externally verify and internally validate potential changes to financial information such as account data and wires. Keep your employees trained on internal processes and cybersecurity risks and ensure that training updates occur at least annually.
Finally, conduct a “data value chain” audit that tracks what data you’re capturing, how it’s being moved and used, and where encryption can be used to help protect sensitive data. In many cases, organizations maintain archives of data that generate risk without concomitant value; where possible, delete data when you don’t need it, anonymize it if you intend to use it for data analytic projects, and encrypt it when you need to keep it but it’s not part of your immediate operating picture. By keeping a “sliding window” of data retention, where sensitive data is only exposed if your operations demand it, you can reduce your risk of a breach.
October may have been Cybersecurity Awareness Month, but protecting your company is a year-round responsibility. By making security an executive priority and pushing your organization to take a “data safety first” mentality, you can reduce your risk. The world is getting more dangerous, but with the right focus on cybersecurity, you can build the kind of walls that can keep your company safe.
