GRAND RAPIDS, Mich.—Keeping up with work and business emails can be painful enough without having to log into a virtual private network, or VPN, so a six-digit number can be texted to your phone for input to gain access to the company's computer systems.
But those extra steps of multifactor authentication, or MFA, have become a necessary security tool in a world of increasing cybercrimes.
Businesses in the oil, construction, machinery and plastics processing markets are among the most targeted and need to take action, Steve Searl, Federated Insurance manager, told members of the American Mold Builders Association on June 24 at its conference in Grand Rapids.
"Colonial Pipeline was breached because of a leaked password— one password," Searl said of the hack that brought down the largest fuel pipeline in the U.S. and led to widespread gasoline shortages in May.
The culprits, a Russia-linked cybercrime group called DarkSide, got into the network through a VPN, which lets employees remotely access a computer network.
The VPN account didn't use MFA, so the hackers could gain access with a compromised name and password.
The MFA platform adds one or more layers of security to online accounts. Employees must verify their identity using a second factor, such as a phone or other mobile device, to prevent anyone else from logging in even if they know the password.
Investigators have said it's still a mystery as to how the crooks obtained the Colonial Pipeline Co. credentials—perhaps from a batch of leaked passwords on the dark web or perhaps they figured it out on their own.
In some cases, phishing scams are used. The crook sends a fraudulent message designed to either trick someone into divulging sensitive information or to deploy malicious software that holds their system for ransom.
For example, the hacker might send an employee a prompt to reset a supposedly expiring password and then gain access to the email server and possibly more from there.
Cyber experts also warn people not to engage suspected hackers.
Alan Rothenbuecher, AMBA's attorney who is with Benesch Law in Cleveland, told conference attendees about an incident in which he received an email asking for donations to buy gift cards for a charitable cause he supported.
Rothenbuecher said he knew enough about the charitable group and the supposed sender that red flags went up that the email was a scam. He made up a reply that the sender's account was in arrears and he would need a retainer of $50,000 to advance $50. The scammer responded, Rothenbuecher said, telling him he was missing the point about a charity in immediate need of money.
Rothenbuecher said he then backed off and contacted the firm's information technology specialist.
"Had I done more, they would have had more access to my information so it was a huge mistake," Rothenbuecher told AMBA members, jokingly adding, "IT said you're going to three-factor authentication now."
Westminster Tool Inc. in Plainfield, Conn., has been beefing up its risk mitigation strategy, including a switch to duo-factor authentication across all devices.
Founded by Ray Coombs and AMBA's 2021 Mold Maker of the Year, Westminster Tool invests at least 10 percent of profits back into its production and people, including training.
Cybersecurity training sessions are scheduled quarterly and phishing tests are conducted monthly to identify gaps in employee training, Westminster Chief Financial Officer Colby Coombs told conference attendees. Executives and company leaders in finance, human resources and management undergo role-based training because those positions are vulnerable, too.
In addition, the company increased virus and malware protection. "These are steps that can be taken quickly for next to nothing," Coombs said.
By following best practices, Westminster Tool gained 70 points on its compliance audit (NIST 800-71) score for cybersecurity.
There's a long list of best practices related to sensitive information, wireless security, software, passwords, websites and money transfers.
Industry experts recommend identifying sensitive information. Take an inventory of all devices where sensitive data is stored. Look at what kind of information is collected at each entry point and who has or could have access to it.
Limit the information gathered as well. Don't use social security numbers unless required. Don't keep customer credit card information unless needed.
To improve wireless security, use WPA2 encryption or higher and update router software regularly. Also, install antivirus software and activate spam and phishing filters.
Another best practice is to insure the company's exposure against the costs of responding to data breaches, remediating damage from unauthorized access or malware and cyber extortion, such as ransomware.
There's also coverage for responding to legal actions taken against a business for data breaches, network security events and electronic media incidents.
Ryan Sulkin, a Benesch Law attorney who specializes in data privacy and cybersecurity, told AMBA members that it's important to know their responsibility. He said the law requires businesses to take "reasonable and appropriate security" measures to protect data, systems and networks.
"Organizations that are best equipped to defend themselves legally when there's a cybersecurity event have really strong governance, strong policies and a really good story to tell that takes into account the size of their organization and the reasonable budget they have to spend on security," Sulkin said. "At the end of the day, they just got beat by an adversary much larger than they were and potentially funded by an enemy of the United States."