By now, you’ve heard it over and over: Cyber threats are growing more frequent and sophisticated by the day.
Yes, there is no shortage of content warning businesses not to grow complacent about cybersecurity. Yet, while large businesses invest heavily in protecting against attacks, hackers are increasingly pivoting to target small and medium-sized businesses — a neglected and under-reported arena filled with softer targets due to insufficient security measures.
Over 43% of cyber attacks in 2023 were against small businesses, only 14% of which were prepared for such an attack, so this is no small matter.
Cyber threats evolve quickly, especially in the age of AI, which can make hacking tools smarter and more challenging to detect.
That’s why analyzing real-world cybersecurity incidents is invaluable for identifying oversights and potential lapses in your safeguards. After all, if a vulnerability granted cybercriminals access to another company, that same vulnerability could leave your organization exposed, too.
Let’s dive into ten lessons from headline-grabbing cybersecurity breaches that could help your business avoid becoming tomorrow’s front-page story.
What lessons can be learned from the biggest cyberattacks in recent history?
Vulnerabilities in trusted partners’ tools or services could provide backdoor access to your systems, as in cases like the breach of Progress Software’s MOVEit file transfer solution.
By compromising the security of vendors, contractors, and suppliers, attackers can access the networks of countless organizations around the world.
Lesson: Assess supplier, vendor, and partner relationships thoroughly, scrutinizing security measures and limiting integration points that grant access to your infrastructure.
Despite increased awareness of cyber risks and training against threats like phishing, social engineering is an alarmingly pervasive and effective attack vector.
Recent incidents, including the breach of MGM Resorts, which (if the hacking group which claimed credit is to be believed) was enabled by “vishing” or phone call trickery, highlight persisting vulnerabilities to human manipulation.
Lesson: Comprehensive, continuous, and creative approaches to security awareness education are imperative to combat social engineering threats.
The ability of hackers to access the personal information of over 37 million T-Mobile customers highlights the perils of improperly managed credentials and excessive access.
Lesson: Reduce risk exposure through stringent access control policies ensuring least-privilege permissions to users across infrastructure, systems, services, and data repositories.
The ransomware attack inflicting over six weeks of severe postal service disruption in the UK by exploiting flaws in the security of Royal Mail, the British mail company, underscores how technical debt and inadequate patch management regimens render organizations vulnerable.
Lesson: Prioritize timely patching and upgrading software assets across the environment, focusing most urgently on internet-facing services and tools exposed to higher risk.
Distributed, hybrid work magnifies attack surfaces through home networks, remote access paths, and unmanaged devices operating off corporate premises.
Multiple studies have revealed that remote or hybrid work is linked to increased cyber exposure.
Lesson: Implement a zero-trust framework for secure remote work environments, ensuring that employees have least-privilege access to corporate resources regardless of their location.
While APIs drive efficient automation and connections between crucial business applications, they also increase exposure. The breach of T-Mobile highlights the growing imperative of managing this enlarged attack plane.
Lesson: Comprehensive API security must complement business priorities, leveraging these interconnections through scaled platforms securing authentication, authorization, encryption, activity logging, and continuous scanning against evolving threats.
Prominent attacks like those launched against Royal Mail and manufacturing giant Clorox demonstrate ransomware’s devastating potential if protections fail to limit blast impact. Infection on one system enables threat actors to achieve widespread encryption and irreparable destruction rapidly.
Lesson: Network microsegmentation, multi-factor authentication protocols for admin roles, and air-gapped offline backups provide fundamentals for reliable business continuity if ransomware hits core infrastructure.
These extended opportunities for adversaries to inflict more significant harm spotlight the severe risks of lengthy dwell and down times.
Lesson: Early detection is vital to rapid recovery.
While efforts to prevent successful attacks are essential, you should also be prepared for the fallout of a breach. Lacking an incident response plan renders organizations vastly more vulnerable to destructive attacks — not to mention fiduciary and legal liabilities.
Lesson: Develop and continually update detailed response plans encompassing containment procedures, internal and external communications, legal disclosure duties, and more.
Technical controls inevitably have limits in stopping attacks, especially social engineering threats. This reality emphasized the importance of empowering staff to recognize and resist manipulation.
Lesson: Establish a formal security awareness training regimen tailored to your organization’s activities and risks, molded by insights into current staff vulnerability.
The time is now for extreme cyber vigilance.
To begin applying these lessons, prioritize assessing risks and vulnerabilities. Conduct simulations and testing to uncover gaps and dedicate leadership and resources to integrating security across systems and staff.
All businesses of any size should think and act proactively and invest now in improved cybersecurity. By implementing these measures, business owners can safeguard their financial and personal data and keep their businesses running smoothly.
If you are a client and would like to book a consultation, call us at +1 (212) 382-3939 or contact us here to set up a time.
If you aren’t a client, why not? We can take care of your accounting, bookkeeping, tax, and CFO needs so that you don’t have to worry about any of them. Interested? Contact us here to set up a no-obligation consultation.
Interested in receiving updates in your mailbox? Check out our newsletter, full of information you can use. It comes out once every two weeks, and you can register for it below.
Found this article helpful? Share it with your network.
Above & Beyond
New York City
2 West 45th Street, Suite 1208
New York, New York 10036
565 Taxter Road, Suite 105,
Elmsford, New York 10523
Jeff Coyle, CPA, Partner of Rosenberg Chesnov, has been with the firm since 2015. He joined the firm after 20 years of business and accounting experience where he learned the value of accurate reporting, using financial information as a basis for good business decisions and the importance of accounting for management.
He is a diligent financial professional, able to manage the details and turn them into relevant business leading information. He has a strong financial background in construction, technology, consulting services and risk management. He also knows what it takes to create organizations having built teams, grown companies and designed processes for financial analysis and reporting.
His business experience includes:
Creating and preparing financial reporting, budgeting and forecasting.
Planning and preparation of GAAP and other basis financial statements.
Providing insight on financial results and providing advice based on those results.
Jeff also has a long history of helping individuals manage their taxes and plan their finances including:
Income tax planning and strategy.
Filing quarterly and annual taxes.
General financial and planning advice.
Prior to joining the firm in 2015, Jeff was in the private sector where he held senior financial and management positions including Controller and Chief Financial Officer. He has experience across industries, including construction, technology and professional services which gives him a deep understanding of business.
Jeff graduated from Montclair State University, he is a CPA and member of the American Institute of Certified Public Accountants, New York State Society of Certified Public Accountants and New Jersey State Society of Public Accountants.
Jody H. Chesnov, CPA, Managing Partner of Rosenberg Chesnov, has been with the firm since 2004. After a career of public accounting and general management, Jody knows the value of good financials. Clarity, decision making, and strategy all start with the facts – Jody has been revealing the facts and turning them into good business results for more than three decades.
He takes a pragmatic approach to accounting, finance and business. His work has supported many companies on their path to growth, including helping them find investors, manage scaling and overcome hurdles. His experience and passion for business reach beyond accounting and he helps businesses focus on what the numbers mean organizationally, operationally and financially.
He has a particular expertise in early-stage growth companies. His strengths lie in cutting through the noise to come up with useful, out of the box, solutions that support clients in building their businesses and realizing their larger visions.
Prior to joining the firm in 2004, Jody was in the private sector where he held senior financial and management positions including General Manager, Chief Financial Officer and Controller. He has experience across industries, which gives him a deep understanding of business.
Jody graduated with a BBA in Accounting from Baruch College, he is a CPA and member of the American Institute of Certified Public Accountants and New York State Society of Certified Public Accountants.
In addition to delivering above and beyond accounting results, Jody is a member of the NYSCPA’s Emerging Tech Entrepreneurial Committee (ETEC), Private Equity and Venture Capital Committee and Family Office Committee.
He is an angel investor through the Westchester Angels, and has served as an advisor for many startup companies and as a mentor through the Founders Institute.
Send us a message and we will contact you as soon as possible.