There are a lot of estimates about the costs of ransomeware attacks and the costs of cybercrime. A technical writer with Astra estimates that the cost of the average cyber attack has grown from $10,000 to $18,000 from 2021 to 2022. By 2025 the average cost will increase tenfold. In the U.S., 40 percent of cyber attacks netted the attacker more than $25,000.
According to the FBI’s Internet Crime Report for 2021, cybercrimes cost $6.9 billion or more. According to Cybersecurity Ventures, the cost of cybercrime will hit $10.5 trillion annually by 2025. It seems almost ironic to use the term “annually” because the annual increases tend to be double, triple or even quadruple digits. The Gartner corporation predicts that during the next two years, 45 percent of global organizations will be impacted in some way by a cyber attack.
Email is a constant vehicle for cyber attacks and now more than 4.2 billion people use email, a number that is likely to grow to 4.7 billion by 2026.
Increasingly people need to plug in to the Internet to transact the most basic of activities. One prediction is that there will be 7.5 billion Internet users by 2030.
There are a lot of avenues for phishing and cyber attacks from increasingly insidious viruses.
“Ransomware attacks on businesses both large and small are skyrocketing,” says Jeff Knoepke of Alert Rental Software. “As our businesses become more and more dependent on computer technology for daily operations, losing access to your systems can be a devastating blow. You can lose everything from financial records to upcoming orders, making it nearly impossible to operate.”
So given the seemingly high odds stacked against owners of businesses that work with hundreds or thousands of customers who must give up sensitive financial data to do business with you, let’s take a look at some of what a rental company can do to protect its business against attacks. RER spoke with rental companies and many software providers to put together some tips that might help.
Educate and incessantly remind your staff:
Most software providers in the rental industry have effective systems to help rental companies protect their data. We’ll get to those. But as Knoepke says, most hackers don’t need to use sophisticated tools to get past firewalls and “hack” their way in. Most of them waltz in the front door, invited, through a phishing attack because a rental center employee opens a link in an email or text message that appears to be from either a trusted contact or one that isn’t well known but appears harmless. The seemingly innocent link loads the ransomware onto that computer, and it immediately begins to replicate itself across the network.
Bob Kendall, president of Seattle-based Star Rentals, says his company uses “an internal and constant campaign of ‘remind, remind, remind!’ Flood employees with communications about phishing scams, fraud, etc.”
It's important to educate staff to question any email with an attachment that looks odd. Sometimes spelling or grammatical errors is a sign of something off-kilter. Always carefully check the sender’s email address. Often official-sounding emails that are supposedly from banks or government offices come from a casual g-mail account that could have been set up by anybody.
Also, staff should be doubly careful about opening attachments that they weren’t expecting. If in doubt, contact the sender to see if it really came from that party.
And if a worker makes a mistake and realizes it, make sure they immediately inform IT staff. Don’t punish them so that they don’t admit the error, since such mistakes can happen to industry veterans as well as newcomers. Alerting appropriate staff immediately can minimize the damage.
More than remind or admonish – Training is required:
Clare McCormick, general manager of Wynne Systems, recommends concentrated levels of training for employees.
“We can fall prey to attacks like phishing due to the attacker’s ability to play on our thoughts and emotions,” McCormick says. “It’s important to train users on how to spot and react to any signs of an attack on your organization. A proactive plan should be put in place to ensure employees are getting a foundational and continued level of education on the many different methods that attackers utilize to gain access to an organization’s systems. This is increasingly important if your organization has high turnover in an area like the rental desk for example. New employees can be more susceptible to attacks due to their lack of knowledge about your rental organization and their eagerness to make a good first impression at work. They should be trained as quickly as possible to spot attacks such as someone posing as a high-ranking employee requesting money or special access.”
You or your IT staff don’t have to do the training yourselves. Consider subscribing to services like KnowBe4.com, which provide monthly phishing simulations and cyber security training to keep your team vigilant.
The key is that training must be continuous and ongoing. “Well-informed employees are your first line of defense against data breaches,” says Paul Zdane, chief solutions architect, Texada Software. “Cultivate a security-conscious culture within your organization, where employees actively monitor for and report suspicious activities. Employee vigilance complements your security infrastructure. Provide specific training on data privacy and confidentiality for all employees, emphasizing the importance of safeguarding customer and company information. Well-informed employees are essential for data protection.
Robust access control:
“Establish stringent access management protocols to limit data access to authorized personnel exclusively,” counsels Zdane. “Employ advanced authentication mechanisms like multi-factor authentication to bolster security. Effective access control is the foundational pillar of data protection, ensuring that only those with legitimate reasons can access sensitive information.” Accounts should be audited on a regular basis to ensure that no one has been inadvertently granted over-permissive access.
Implement Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring users to provide multiple forms of verification before granting access. Even if a cybercriminal obtains your login credentials they won’t be able to access your accounts without the additional authentication step. Always implement MFA for any privileged accounts. If a user requires elevated permissions such as “admin” permissions, a separate “privileged” account should be assigned and granted the “admin”.
Keep sensitive data on the cloud:
Rental companies keep track of customers’ driver’s licenses, e-signatures and banking information. The cloud offers better protection but requires high security, says Orion software’s Patrice Boivin. “Some people believe that because it’s in the cloud, it’s automatically secured. Rental companies should look for providers that are using the best practices and procedures. They should ask for their security scores and certifications.”
Sensitive data must be encrypted:
“Implement encryption for data at rest and in transit to safeguard against unauthorized access, even in cases of data compromise,” says Zdane. “Encryption renders data unreadable to unauthorized individuals, providing a crucial layer of defense.”
Have cyber insurance and the proper limits:
“The strongest and most comprehensive security software available,” is what you need, says Star’s Kendall. And don’t go for the cheapest deal. This is not the place to scrimp. Says Kendall: “Price should not be an object!
And this is not a place for DIY. The biggest mistake many companies make is thinking they can manage this issue themselves. You need an expert provider to set up your firewalls, to store data, to train your employees, to make sure the system has a recovery capability, and to manage backups. You may have a brilliant IT staff – but cyber thievery is a full-time job.
Back up frequently!
Regular backup will dramatically reduce the impact of an attack, says McCormick. While there will likely be some data loss, different strategies like offsite storage and segmenting your network can make a difference.
“Attacks from malicious actors aren’t the only reason for data backups,” McCormick adds. “Natural disasters like wildfires or flooding can really set an organization back if there was no planning ahead of time.”
Store backups in offsite locations:
While it might seem convenient to keep your backups in your office, don’t! Typically in the case of a malware attack, the backups would be affected by the same virus, says Alert’s Knoepke. “Plus, what good is an on-site backup in the event of a server theft, fire or flood?”
He adds that good backups are run automatically on a daily basis or multiple times per day and pushed offsite to a protected server. "Multiple backups should be kept in the event the ransomware isn’t discovered until after the backup runs. And backups are only as good as how quickly and reliably they can be recovered in an emergency,” he adds.
Secure Wireless Networks
Wireless networks are vulnerable entry points for cybercriminals, says Daniel Ruiz, security engineer for Point of Rental Software. “Ensure that your wireless networks are encrypted using strong security protocols like WPA3. Hide your network’s SSID (Service Set Identifier) to prevent it from being broadcasted to potential hackers scanning for available networks. If your business has a guest wifi network that you’ve been so kind to offer customers, ensure it is completely separate from your various business networks such as where your Point of Sale operates, and where you may conduct internal business.”
Practice “spring cleaning” at least once a year
“As employees change roles or leave your company, it’s important to update or revoke their access to sensitive data,” notes Matt Hopp of InTempo Software. “It’s best practice to make these changes in your rental software as soon as the personnel changes occur, but if you can’t make immediate updates, make sure you carve out time to 'spring clean' your system at least once per year."
Have a recovery plan:
Sometimes mishaps do occur and in case they do, your company must have a detailed recovery plan, says Joe Lewis, CEO of Fame Rental Software. “It must be both defined and practiced,” Lewis says. “I’ve seen situations where a recovery plan was there, but, when it was needed it did not work. Verify it by doing a drill.”
Daniel Ruiz, security manager, Point-of-Rental Software advises regularly reviewing security measures by conducting security audits and vulnerability assessments. “Identify weaknesses and areas for improvement, then take action to enhance your data protection protocols,” Ruiz says. “A great place to start is obtaining your PCI DSS certification as the standard has many cybersecurity requirements businesses must comply with. It is geared towards protecting cardholder data but pertains to protecting any critical or sensitive data."
Long and complicated passwords:
All passwords should be long and complicated so they are not easily guessed, nor should they be duplicated on other sites or systems. Use at least two-factor authentication whenever possible. If a person wears a different Taylor Swift or Bruce Springsteen shirt every day of the week, he or she should probably not use the artist’s first or last name in the password.
Strict password management:
Requirements for regular password rotation should be implemented on all accounts, says Ruiz. “Consider using a password manager to securely store and manage your passwords, making it easier to use complex and varied credentials, as well as privileged accounts for elevated access.”
Texada’s Zdane suggests following the principle of least privilege: “Grant the lowest level of access rights necessary for employees to fulfill their job roles. Limiting access minimizes the potential attack surface. Best in class rental solutions should provide granular access to different menu options, field access, and permissions within the screens as well.”
Secure remote work practices:
In this day and age, a lot of work is done remotely, and a lot of employees need to take their laptops home or on the road. It’s critical to “extend security measures to remote work environments,” says Zdane. “Emphasizing secure VPN access or Zero Trust Networking, endpoint security, and secure data transfer methods. Maintain a clear desk/clear screen policy. Remote work adds new dimensions to data protection.”
Use tokenization to protect your customers’ credit card information:
Storing or transmitting credit card data over unsecured systems leaves it vulnerable to attacks. However, there’s an easier and more secure way to keep cards on file without actually storing the credit card numbers and CVV codes. Tokenization lets you charge returning customers for new or recurring long-term rentals (including cycle bills on any schedule), without actually storing the credit card data on your system. The tokens that you do store are randomized and unencryptable, so even in a worst-case scenario of a successful attack on your organization, your customers’ credit card data still wouldn’t be exposed.
Keep Software up to Date:
Outdated software is a prime target for cyberattacks, says Ruiz. “Hackers exploit known vulnerabilities to gain unauthorized access. Regularly update your operating systems, applications, and plugins to patch security flaws and reduce your vulnerability to attacks. If you have software, especially if installed on business networks, it normally requires patching at least every 30 days. Are you checking? There exist annual cybersecurity conferences where competitors hack systems based on unpatched, or zero-day vulnerabilities. For example, exploit this particular software’s vulnerability to gain remote access, then exploit this other’s software vulnerability to elevate my permissions.”
Monitor for unusual activity
Set up alerts for suspicious login attempts and monitor your accounts for any unusual activity, advises Ruiz. “Rapid detection of unauthorized access can prevent data breaches or minimize their impact. The sooner you know of attack indicators, the sooner you can derail the bad actor’s actions and mitigate damage.”
Employee departure procedures:
Institute a comprehensive offboarding process to revoke access for departing employees and prevent unauthorized data access. Terminated employees should not retain access to sensitive information.
Employee Confidentiality Agreements:
Require employees to sign confidentiality agreements to legally bind them to protect sensitive company information. Legal safeguards reinforce data confidentiality.
Quick reactions can limit the damage that attacks create for your organization, notes Wynne Systems’ McCormick. “Anything out of the ordinary should be flagged and acted upon accordingly. It should be an organization-wide effort to spot, flag, and react to any data security issues.”