Cybersecurity Threats Important Considerations for the Future of Business

Kevin Ricci is co-leader of Citrin Cooperman’s Cybersecurity Practice and has over 30 years of experience in technology services including consulting; security assessments; cybersecurity awareness training; social engineering simulations; IT auditing; fractional CISO; project management; data analysis; and compliance services including PCI DSS, for which he is a Qualified Security Assessor (QSA).

Mark Henry is co-leader of Citrin Cooperman’s Manufacturing and Distribution Industry Practice and works with middle-market companies and high net worth individuals on audit, financial reporting, and business consulting services as well as comprehensive mergers and acquisitions services including quality of earnings, cash flow projections, financial due diligence, negotiation support, and acquisition strategy formulation.

Henry: New and innovative cyberattack techniques are happening all the time. What do you see as the real concerns for the future and holes in cybersecurity compliance that companies typically miss?

Ricci: A little bit further down the road there's going to be quantum computing and things of that nature that are really going to blow through any type of cryptography we have in place right now. Artificial intelligence tools are really a concern here, because although AI is beneficial to businesses in many ways, it also can be used for evil purposes by these criminals. So, they're supercharging their attacks and are able to create a lot of new attack vectors using this technology.

Henry: For companies that take a proactive approach to cybersecurity compliance, how is their response better or different when attacks inevitably take place?

Ricci: Great question. Being proactive is really going to reduce the risk of even becoming a victim of a data breach or cyberattack; it's also going to reduce costs. For example, if you have a disaster recovery plan in place it's going to help you react much quicker and more rapidly in terms of your response times and get your business back up and running much quicker, less expensively.

Henry: Let's talk more about some of the hidden costs of cyberattacks. What are companies not considering in their cost analysis?

Ricci: A lot of times, companies will take the approach of, “Well, I have cyber insurance, and that's going to pick up the tab for any of the costs involved.” There are many costs that come along with any type of cyberattack or data breach, ranging from the forensic costs of bringing in attorneys and IT professionals to undo the damage, to the replacement of potentially compromised software and hardware that has been affected during the attack. There could be fines and penalties that are going to come in from any regulations governing the data that may have been affected. And, of course, the reputational damage that comes along with an attack, which is very difficult to offset. That's going to erode confidence with customers and vendors, and most customers are going to be very reluctant to do business with a company that can't protect their data.

Henry: What is the major impetus for cyberattacks today?

Ricci: The impetus for cyberattacks ranges. It goes anywhere from these script kiddies, as they're known, like the anonymous group, that usually want to take down your website because they have differing political views and have weaponized cyberattacks. Using it as a weapon of war at this point. We're seeing this in Taiwan and Ukraine and elsewhere, but predominantly it's for profit. It's very lucrative to steal information from an unsuspecting customer or client because you can sell that information on the dark web or hold it hostage and get a ransom paid for it.

According to some statistics, the number one reason (about 91%) data breaches are initiated is through social engineering attacks. In the not-too-distant past, criminals realized it's very difficult to hack their way through firewalls, intrusion detection systems, and endpoint protections. That approach was very expensive and very time-consuming. In response, they have targeted the weakest link in the chain, us, the human factor. Through social engineering, which is basically deceiving us into opening an attachment that potentially was infected or clicking on a link that takes us to an infected website or compromising our own credentials, these bad actors can hack into systems and cause catastrophic damage.

Henry: How do you work with companies that have existing cyber or IT departments in-house to upskill and educate them on best practices or possible gaps to fill?

Ricci: To win over those individuals that are in the IT role, you never want to come in and take that adversarial approach with your finger pointing and saying, “Hey, you guys are doing this and this wrong.” You always want to come in with the attitude of improving things to benefit everyone. We want to get you some of the projects that you've been fighting to get across the finish line. We want to get those in place for you, and we're here to help. That approach is very effective for companies considering our services.

Henry: You’ve worked with really successful organizations who have had cyberattacks or successfully blocked cyberattacks. What are the top things that you've seen these companies do to help them remain responsive and agile?

Ricci: Typically, the number one reason companies can successfully combat these types of attacks is that they have buy-in from the top, and that culture runs through and imbues itself into all of the employees throughout the organization. If you don't have that buy-in from the leadership team, chances are it's not going to flow down, and people aren't going to take it seriously. They're going to put their defenses down and, unfortunately, become that next victim.

Henry: What are the most common scenarios that elicit a company to call you and the team for cybersecurity services?

Oftentimes, we'll get the call from a company who has known some peer within the industry who's fallen victim to some type of attack, and then the light bulb goes off that “Wow, this isn't just some kind of an ethereal threat. This is something that could potentially bring our entire company down.” They don't want to be that next victim, so they'll call us in and try to assess their company, see where their gaps and vulnerabilities are, and assist with the remediation.

Citrin Cooperman’s Cybersecurity Practice helps companies assess their organizational vulnerabilities and provides actionable plans to defend against cyberattacks and data breaches. For more information on how to best safeguard your company in today’s challenging digital landscape, please contact Kevin Ricci or info@citrincooperman.com.