Practus LLP is a JVC Law Firm Finder Partner
Cybersecurity incidents are skyrocketing around the world, and the jewelry industry has not been immune from these incidents. Jewelry professionals have recently faced many cyberattacks, ranging from data breaches and e-commerce hacks to compromised payment systems. Cyberattacks like these are expensive and disruptive to manage, and can harm a company’s reputation and brand value.
Good cybersecurity practices can be complex and costly, however, and many companies, believing that they are not targets for cybercriminals, do nothing until they find out too late that all businesses, including theirs, are fair game for a cyberattack.
Jewelry professionals should undertake a full assessment of the cyber risks their companies face and the steps that they must take to address such exposure, but there are three risks that all companies can immediately address to reduce the possibility of an online attack.
First of all, what is a cyberattack?
A cyberattack is any attack on a website or electronic portal that disrupts the functioning of that site. It can take one of many forms.
For example, according to the Verizon 2021 Data Breach Investigations Report (“DBIR”), a Distributed Denial-Of-Service (DDOS) attacks were one of the most common cyberattacks in 2020 with 14,335 incidents. In a DDOS attack, the attacker floods the target website with an overwhelming volume of traffic that snarls and slows the site. Attackers demand a ransom in exchange for discontinuing the attack.
A similar type of threat is when an attacker instead locks the site and prevents it from operating, again often demanding a ransom to unlock the site.
Unfortunately, however, cyberattackers do not always stop their attack or unlock the site once the target pays the ransom, and targets that pay can become attractive second targets to other cybercriminals.
What kind of company is targeted by cyberattackers?
In short: all businesses, large and small. Of great note to the jewelry industry, the Verizon DBIR report indicates that in 2020 small business accounted for almost half the number of breaches – just about equal to the number in large institutions.
In addition, one of the biggest and fastest emerging risks is through supply-chain IT vendors, where attackers make their way into companies through the backdoor of these providers.
What Three Risks Must You Address to Lower Risk of Cyberattacks?
Risk #1: Phishing, spear phishing, whaling
One of the biggest risks that jewelry companies (like others) face is that a staff member will respond to a social engineering attack, such a phishing, spear phishing or whaling. Phishing is one of the top causes for breaches, with cloud-based email servers being a target of choice.
“Phishing” messages are email or text messages that are sent in bulk and that look like they are from reputable sources, such as a bank, a credit card company or another trusted provider. “Spear phishing” messages are phishing messages that are targeted to an individual, and “whaling” are spear phishing attacks that target high-profile executives.
When the recipient clicks on the link, the attacker can install malware, ransomware, or other disruptive programs that can shut down your system.
Risk # 2: Default passwords and poor credential control
A second risk is that many companies use default passwords for anyone to log into the systems. According to the 2021 IBM Security – Cost of a Data Breach Report, compromised credentials like these are one of the most frequent – and costliest – vectors to a data breach.
Risk #3: Out of date, end-of-life, or unsupported software
Finally, many companies use unsupported or out-of-date software or apps in their platforms, which provides an easy back door entry for bad actors to hack into their systems. This is even riskier in post-COVID world, where remote workforces and vendors may be using public or unsecured networks to access your systems.
What steps can you take right now to address these 3 risks?
- Develop written policies and procedures, including on phishing, password and credential management, and software updates and upgrades.
- Train your employees on these policies. Simply stating that that your staff should not open suspicious emails or click on any links does not help if the employee doesn’t know what to look for.
- Upgrade your systems and remove unsupported software.
- Install password management software and other credential controls.
- Engage experienced counsel to help quarterback your company through cybersecurity compliance, including with governing laws, regulations and industry guidelines.
There are many other cybersecurity risks to consider in protecting your jewelry e-commerce business and in complying with governing laws, regulations and industry standards, especially as cyber criminals become more sophisticated and aggressive. Law firms like Practus offer small businesses outside general counsel services that can allow you to have access to legal counsel at an affordable and predictable cost.