Rising Zero-Day Exploits Call For Stronger Cybersecurity
For businesses of all sizes and across all industries, hackers have become an omnipresent threat to profit and general functioning, and they’re growing more menacing by the second. Last year, a new cyberattack was issued every 11 seconds across the globe, on average, according to a report by Cybersecurity Ventures—the publisher of Cybercrime magazine—and by 2025, cybercrime is estimated to cost businesses upwards of $10.5 trillion a year worldwide. As cybercriminals continue to ramp up their efforts and pivot their focus more on small- to mid-sized businesses, companies’ cybersecurity measures must strengthen alongside it—or they face the inevitable risk of falling under attack.
The last year saw the most incidences of zero-day exploits caught in a single year. Zero-day exploits (0-day) are a type of cyberattack that occurs when hackers identify and exploit an unknown flaw in computer software or hardware, and then release a malware attack on the system before developers can fix, or create a patch for, the problem. Cybercriminals then use the breach to restrict the developer’s access to data or a computer system until the victim pays the requested ransom amount. Common types of zero-day attacks target email phishing, spear phishing and email spoofing.
Zero-day exploits are hardly ever identified right away. Rather, it takes companies an average of 55 days to identify a zero-day exploit, according to New York-based cybersecurity firm IT Governance USA. Business insurance provider Embroker, also in New York, reports that the effects can be felt years after the attack due to lost revenue, data and business, as well as disruptions in day-to-day business flow coupled with a tarnished reputation. Researchers from the Massachusetts Institute of Technology (MIT) reported tracking at least 66 zero-day exploits identified by cybersecurity defenders, up from 37 zero-days in 2020 and 28 in 2019, reports Technology Review. However, TechHQ reports that this number isn’t indicative of rising rates alone, but it also shows that cybersecurity defenders are doing a more apt job at identifying attacks.
In 2021, a stream of high-profile zero-day attacks affected large businesses. Here’s a brief look at some of the major ones and their impact.
- February 2021, attack on Florida water system. A hacker infiltrated the water treatment system in Oldsmar, Florida, and tried to poison the city’s water supply by increasing the level of sodium hydroxide, or lye, by more than 100 times the normal levels. An operator was watching and immediately reduced the levels to normal, so no harm occurred.
- April 2021, attack on Colonial Pipeline. In late April, the U.S. saw a cyberattack on Colonial Pipeline, which transports more than 100 million gallons of fuel and gasoline between New York and Houston every day, causing gas prices to soar nationwide and costing the company $4.6 million in bitcoin. It also led millions of Americans to scramble for gasoline, as a state of emergency was declared in 17 states and Washington, D.C.
- May 2021, attack on JBS USA, government officials. Late May brought forth an attack on Brazil-based JBS USA, which is responsible for one-fifth of the world’s meat supply, disabled the company’s slaughterhouse and affected all its North American and Australian facilities. Also in late May, Russian hackers issued an attack on 3,000 emails at more than 150 government organizations, the majority of which were U.S. officials.
- July 2021, attack on LinkedIn. LinkedIn, the Mountain View, California-based business social network platform with a worldwide membership of upwards of 740 million, experienced a cyberattack that affected more than 90 percent of its membership. It occurred when Russian government hackers sent LinkedIn messages to Western European government officials that included malware links which, upon being clicked, were designed to exploit existing vulnerabilities in WebKit, the Apple-designed browser used in Safari and all iOS major browsers.
- December 2021, attack on Schreiber Foods. A cream cheese shortage caused issues for bagel shops, bakeries and dessert parlors during the holiday season, and it was caused by a cyberattack on the plants and distribution centers of Green Bay, Wisconsin, Schreiber Foods that occurred in October.
Because zero-day attacks target unknown system vulnerabilities, they continue to occur, and at prolific rates, since practices are not being put into place to properly safeguard against them. As a result, companies remain susceptible to ongoing attacks. And like every other industry, promotional products suppliers, distributors and business services platforms are all at risk.
“Companies are running a multitude of software applications, often some which haven’t been properly updated, some which are inherently vulnerable and some which are no longer unsupported,” says Scott A. Nussinow, MAS, executive vice president of Auburn, Maine, business services provider ArtworkServicesUSA (AWS), and whose background spans marketing, sales, communications, operations and technology. “These provide for easy and very discreet infiltration. Because so many small businesses are either lax in their security—or worse, think they’re too small to be considered for attack—they make perfect targets.”
How Can Promotional Products Companies Prepare?
Even amidst the mounting risks, there are still many preventative actions that promotional products companies can take to protect the personal information of clients, partners and staff, and keep business running as normal.
PPB Newslink spoke more with Nussinow to learn about his three key suggestions to mitigate cyberattacks.
1. Maintain back-ups and update applications.
“In addition to maintaining backups, minimize your exposed surface by purging older, seldom-used applications, and by keeping remaining applications updated. Multifactor authentication for all system log-ins on all devices is also advised,” says Nussinow. “Assign information security duties to someone who is appropriately trained and who is responsible to keep the entire organization aware of these continually-developing threats.”
2. Test, train and monitor.
“Engage an outside firm to assist in penetration testing, training and monitoring,” says Nussinow. “While this isn’t inexpensive, it’s far easier and less disruptive than actually being held for ransom. And though the average ransom in 2021 was over $220,000, paying it still doesn’t guarantee that you’ll recover much of your data, nor does the cost include lost time, productivity, etc.”
3. …and stay vigilant!
“We all know to be wary of .exe file attachments, especially from unknown senders, though many phishing ransomware emails are made to look like they’re coming from someone we already know,” says Nussinow. “Frighteningly enough, most ransomware phishing attack documents are .doc and .dot files—the extensions for Microsoft Word.”