If you ask most people to name the most lucrative illegal business in the world, they will probably say drug trafficking or gun smuggling. While, for obvious reasons, the economic value of narcotics trafficking is difficult to pin down precisely, and estimates vary, some have written it’s considerably more than $500 billion per year.
A lucrative racket to be sure, but compared to cybercrime, it’s chump change. According to Cybersecurity Ventures, global cybercrime costs the world economy more than $6 trillion per year and will grow by at least 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. If cybercrime was a country, it would be the third largest economy in the world. So, some people are making a lot of money causing this much damage.
If cybercrime is so big, why should a small rental business matter to cybercriminals? Because every business matters. There’s no target too big and none too small. Crime businesses don’t get big by discriminating. Every customer has something to offer. And that includes rental or distribution or manufacturing businesses. It all adds up. And any business that brings in money every day and stores credit card and banking information of a variety of customers has a lot of potential for cyberthieves.
Software manufacturers are very aware of this and see this threat as a major concern.
“Cybercrime is no longer a concern for only large technical industries,” says the Texada Data Security Team. “It has become so profitable for the perpetrators that even individuals and microbusinesses are valid targets. In 2020, 43 percent of breaches were suffered by small businesses. The direct impact on the business can be devastating, but unfortunately, it can also be accompanied by significant fines and penalties. Even a minor breach with no direct financial impact can [cause] significant reputational damage and can be difficult for businesses to regain that lost trust.”
“Cybersecurity is our highest priority and requires constant vigilance to ensure systems are protected and monitored, and that any incidents are handled according to our incident response plan,” says Paul Esler, IT manager, Baseplan Software. “There are almost daily reports of data breaches and ransomware attacks globally. Cyber security cannot be ignored or given a low priority. A successful attack can bring a business to a complete stop for a significant amount of time.”
Whether the threat is to a large company or small – and considering rental companies maintain customers’ financial information, there is no such thing as a small ransomware attack – a serious cybersecurity breach is likely to cost a company millions of dollars. In fact, according to a white paper on the state of ransomware from IT security firm Sophos, in 2021 the average cost to remediate a ransomware attack was $1.85 million (see https://secure2.sophos.com/en-us/content/state-of-ransomware.aspx).
“Millions of dollars of damage can result from a single cybersecurity breach,” says Larry Miller, vice president of business development, rental and service industry, Sycor Americas. “Businesses and individuals are being targeted for financial or social gain. At a minimum, email and workstations can be compromised that require vast amounts of administrative time for IT to work through.”
The time, brainpower and computing expertise becomes redirected from helping develop new processes and advancing the company’s interests to trying to recover from the damage inflicted, including the compromising of customers’ financial information, patching up the company’s systems so they can function normally and developing improvements to the systems to prevent future breaches.
Collin Pike, chief architect of cloud engineering at Point of Rental Software, says essentially cybercrime is similar to the dangers of regular crime. “It depends on what the criminals are after,” Pike says. “Cybercrime dangers can include anything from your data being held for ransom and shutting down your operations to taking your (and your customers’) information and racking up debts in your name or their name. It can take years to repair the damage if you’re even able to do so.”
Esler says ransomware is the biggest threat, where malicious actors encrypt data and demand payment for decryption of that data. “Ransomware can inflict significant finance and reputational damage to a business,” he notes. “Other dangers include theft of financial or customer information, which can also impact on the reputation of a business.”
So where would these dangers be coming from?
“In order to protect people, devices, data and critical infrastructure, you need to understand the different types of security threats and their motivation,” says Miller. “Cybercriminals often share common motivations such as financial, intelligence and/or social or political gain. Their approach is by gaining access to financial systems and parsing small bits of information to minimize their exposure. The goal is to acquire intellectual property or information that might be of value to another company or entity.
“There are also nation-state actors that work directly or indirectly for another government in an effort to compromise an organization or individual. They work to achieve a desired outcome by disrupting operations or stealing secrets from corporations. Insider threats by your own employees are challenging due to multiple behavioral motives. It may be intention for financial gain or pain. Many of these events are non-intentional due to carelessness, accidental or negligent activity.
“Lastly, there are ‘hacktivists’ that desire visibility and will draw attention to themselves and/or their cause. Most commonly they will use ‘distributed denial-of-service’ attacks or disruption to an on-line website.”
Pike strongly cautions against minimizing the dangers.
“Hackers can install malware on your server, breach a network vulnerability, attack application-level exploits, or flood your site with requests, potentially causing a crash,” he says. “These are the things your IT and your cloud software teams are helping protect you against.
“The dangers from within your company - it’s usually unintentional aid via social engineering, like people responding to phishing emails. But it’s also possible that an employee, manager, or co-worker is intentionally sabotaging the company. Because there are so many ways for internal and external threats to affect businesses, it’s incredibly important to both protect against cyber threats and prepare for the day an attack affects you.”
Ira Chandler, payment products manager, InTempo / Curbstone advises customers to read the Verizon Data Breach Investigations Report (easily downloadable), which says that social engineering is the most prevalent tool used to perform breaches.
“These incidents are perpetrated by taking advantage of the humans in your organization,” Chandler says. “‘Denial of Service’ is a pattern in roughly 50 percent of incidents.”
The Verizon Report shows the trends moving towards external threats, which make up almost 80 percent of incidents and away from internal threats, which comprise only 22 percent, with the financial motive active in more than 90 percent of breaches, while espionage is down around 5 percent.
“The threat actors are estimated at 80 percent from organized crime,” Chandler says. “From the outside, profit is a big driver for criminals. Those risks are reasonably identifiable. Ransomware is in the news and a clear profit-based criminal activity; the perpetrator encrypts a company’s data, and they have to pay for a key to decrypt it.”
However, says Chandler, “The most dangerous external risks are those not driven by profit, such as most Denial of Service (DOS) attacks. DOS is the act of overwhelming a website or server with so much traffic that it cannot function. If not accompanied by a monetary demand, as they most often are not, they appear to be driven by the ego of the criminal, working to prove they are in control.
“Internal threats often cannot be separated from the external threats. For example, a trusted employee gets a phishing email that appears to be legitimate and from your own IT Department. They click the link and provide their user ID and password on a screen that looks vaguely familiar, thinking they are complying with a legitimate request. The response is a thank you, and the employee may not even know what they have done. This is how the external threats utilize your internal resources to their criminal ends. Remember, the Verizon Report said that 35 percent of the breaches were facilitated through social engineering, the most prevalent method.”
“Exploiting weaknesses in the security of your remote access systems, such as VPNs, is one danger,” adds Edler. “Another external danger is from social engineering, where hackers will use social-based methods such as emails or phone calls, to extract sensitive information about your business which they can then leverage to gain access to your network. This could be via a clever trick to obtain a password to one of your external facing systems. Dangers can also come from within, whether it is intentional malicious acts by a disgruntled employee, or mistakes made in important security-related configurations. For instance, not changing default passwords on important network devices like Wi-Fi access points or firewalls. This could lead to an exploit of those devices allowing access to your network.”
The Texada Data Security Team says direct hacking from the outside is relatively rare.
“The most common attack vector leading to a compromise is staff,” Texada says. “Compromised credentials are of greatest concern, especially when staff use the same password across various sites. Threat actors are also using more sophisticated methods for producing convincing, yet malicious emails (phishing/spear phishing). Fake websites for unsuspecting staff to click on are becoming harder to differentiate. Recent research from Proofpoint reveals 75 percent of organizations around the world experienced a phishing attack in 2020, and 74 percent of attacks targeting U.S. businesses were successful.
“Data loss and leakage are also of considerable concern. Redteam Security found that 72 percent of employee data leaks are inadvertent. Of note is the recent case of the city of Calgary, Canada, which is being sued for $92.9 million for a 2017 privacy breach. This breach impacted more than 3,700 employees. A city staffer sent an email to an employee in another Alberta municipality sharing Workers' Compensation Board claim details, medical records, social insurance numbers, addresses, dates of birth, Alberta Health Care numbers and income details.”
Bots are also commonly used by threat actors, according to the Texada Security Team, as they automatically scour the internet for sites and servers that have known, unpatched vulnerabilities in their operating systems or applications. However, the team says that attacks by bots can be “easily prevented just by keeping your software updated to the latest version.”
“At InTempo, we are sometimes surprised that companies do not have adequate backup procedures to make this an idle threat,” says Chandler. “We ensure that our critical customer data is backed up using secure, state of the art methods, which means that losing one copy of the data will not jeopardize operations.”
Chandler says disgruntled employees represent another threat and can wreak havoc using privileges they were granted for their everyday tasks. This is where proper IT procedures and processes need to be instituted to prevent or mitigate destructive actions.
What vendors do about it
Software vendors spend a lot to make sure they are protected, and that they are able to protect the data of their rental company customers.
“Sycor is extremely fortunate to have Microsoft as its hosting partner,” says Miller. “Microsoft invests more than $1 billion annually on security, data protection and risk management. With 90 percent of Fortune 500 companies utilizing Microsoft Azure, it is one of the world’s largest cloud footprints with more than 100 geo-distributed data centers with over 1 billion customers around the world.
“Sycor has also chosen Microsoft’s Dynamics 365 Finance and Supply Chain Management as our platform to build our Sycor.Rental solution. Sycor.Rental is fully integrated into D365 Security that utilizes Active Directory and the D365 Roles and Security functionality.”
“We have several security experts on staff with years of experience in hardening networks and applications against threats,” says Point of Rental’s Pike. “We’re using industry best practices and tools to provide mitigation against the most harmful threats. We do frequent backups, and we constantly scan our applications and environments for vulnerabilities. We even use third parties to scan our applications so we’re getting external suggestions and feedback as well.”
InTempo went so far as to acquire a company that specialized in software security.
“About three years ago, out of interest in optimizing our cybersecurity, we identified a company that was already providing credit card processing technology to our largest customer,” says Chandler. “That technology company, Curbstone, is audited by third-party PCI-qualified security auditors (QSAs) every year to comply with the Security Best Practices published by the Payment Card Industry Security Standards Council (PCI SSC). For context, these are the same security standards that PayPal has to achieve. In order to handle merchants’ card data on their systems, Curbstone undergoes a three-month-long security audit every year, and is listed by the two authorities, Visa and MasterCard, as a PCI ‘Service Provider Level 1.’
“Curbstone processes over $5.5 billion each year, so is steeped in security expertise and awareness. InTempo acquired Curbstone and their technology in October of 2020. This brought on board a whole company full of qualified PCI QIRs (Qualified Integrators and Resellers) and other security experts.”
“We have adopted a “security first” mindset in our development,” says the Texada Data Security Team. “That, combined with partnering with quality vendors that have excellent cybersecurity knowledge, affords us the best opportunity to offer a secure environment for our customers. We leverage encryption technology in conjunction with secure network infrastructure design to ensure all data is hidden from prying eyes. Our systems are backed up with defined retention policies that are audited weekly.”
What rental companies can do
While software vendors do a lot to protect users of their software, rental companies ultimately must make sure they protect themselves in house.
“First, you must consider moving from any on-premise applications to a cloud-based solution,” says Sycor’s Miller. “Rental companies’ IT staff likely don’t compare to the capabilities of the top Cloud providers.
“Second, be curious and diligent. You can’t assume everything is fine. You must be on-guard at all levels of your business. I believe ‘awareness’ is your best defense. The more your staff understands the threat, the better they can help in identifying a possible breach in security. Gone are the days of your password on a post-it note stuck to the bottom of your keyboard.”
“Aside from ensuring you have legitimate software and someone - whether it’s internal/external IT, cloud software, whoever - looking out for you on the software side of things, the best things you can do to protect yourself are pretty simple,” says Point of Rental’s Pike.
- Set requirements for rotating your passwords for computers, emails, and peripheral systems.
- Set rules for information dissemination - don’t give away information you don’t need to give away; you never know how much of the puzzle someone already has when you give away a puzzle piece.
- Enable dual authentication when possible; it requires access to a physical item (for example, because they’ll send a text to verify, a hacker would have to have access to your phone) in addition to your passwords, which makes things that much more difficult for a hacker.”
InTempo’s Chandler says there are two main areas of risk based on the type of data. “First, and most valuable of a target, are credit cards,” he says. “Second, and the target of ransomware and espionage, are business data that could force a company to pay for its restoration or provide an edge to a competitor. The credit card data solution is simple. Where most businesses ‘touch’, transmit, and store card data, InTempo’s Curbstone technology prevents all three. Their phone order, e-commerce, and retail EMV technologies prevent the merchant’s existing computing infrastructure from touching the card data.
“However, it is seamlessly integrated into the InTempo RentalMan SaaS software for authorizations that happen in real time. Full Remote Tokenization provides the rental company with a Token to perform cycle billing, returning customer payments, credits, and other operations using a Card-On-File, securely stored in the Curbstone Portal Repository. By preventing the existing computing infrastructure of a rental company from touching the card data, InTempo and Curbstone eliminate the vulnerabilities across the entire company.”
Baseplan’s Esler says rental companies need to ensure they have multiple layers of protection in place. “This includes anti-malware software installed, anti-spam solutions for email, data backups including copies kept offsite and strong access controls to ensure only authenticated users can access systems and data that they are permitted to access,” he says. “In addition, it is important to keep your staff informed and educated about cyber threats like ransomware, how to identify threats (e.g. suspicious emails with links or attachments) and what to do if they identify a threat. Use strong passwords everywhere and if possible, use multiple factors to authenticate, such as a password plus an authenticator app on a smart phone. Lastly, keep all systems up to date with operating system or firmware updates issued by the vendor.”
The Texada Data Security Team suggests some basics:
● Train your staff on how to keep themselves and the business secure. Untrained staff can be more damaging than unpatched applications.
● Partner with vendors that will assist you in protecting your security. Cyber-security is a profession in itself; internal IT may not have the expertise to keep your business secure on their own.
● Verify your internal and/or external IT are well versed in cybersecurity.
● Ensure multi-factor authentication is enabled on any application that supports it.
● Make sure all your software is kept up to date with a robust patching policy.
● Enforce the use of a password manager for your staff so all sites and applications have unique, complex passwords.
“Finally, back up everything. Ensure all data you control is regularly backed up and your SaaS providers have robust backups of their offerings. As online collaboration/email software is becoming more commonplace, don't get caught in the mindset that ‘it’s on the cloud, it's safe.’ Ensure you have those services backed up as well.”
Keep your eyes open
Rental companies need to keep their eyes open to some basics.
“Likely the most common are email intrusions,” says Miller. “This can be from phishing, surveys, links and notification of compromised accounts. I believe all of us have been subject to at least one of these. Even if the email appears to be from someone they know, always closely check the email of the sender. Many times, you will find a slight deviation from a normal email address, that will help you identify these intruders.
“Don’t click on links that come from a sender you are unsure about. The key here is to always be on your guard. You should be suspicious of anything out of the ordinary. Many of today’s email providers, like Microsoft Exchange, will make an attempt to filter out spam and warn you about suspicious links.”
“There are a lot of targets for cybercriminals; if you have an IT person or team, they should know how to handle the basics as far as making sure your data is encrypted, and your customers’ financial information is tokenized,” adds Pike. “If you’re using cloud-based software, then the software and cloud providers are doing the heavy lifting on that end as well.
“One of the easiest ways for cybercriminals to get access to your systems is via social engineering, where they’re working with people that aren’t thinking about cybersecurity all day. So be on the lookout for vague or suspiciously worded emails, phone calls, or even social media posts that are asking for commonly used security question information. The world doesn’t need to know the name of your first pet, the street you grew up on, etc. If someone you know is emailing you a file you’re not expecting, call them and make sure it’s legitimate. Just be aware and make your team aware; if something seems questionable, question it.”
“The first area of scrutiny must be credit card processing,” says Chandler. “Virtually all companies will state verbally that they are ‘PCI Compliant’, but that is meaningless. If they touch your card data, they are required to be security audited as a service provider and adhere to the PCI DSS security best practices, then have the results submitted to the authorities for publication. Visa and Mastercard cooperate as the sole authorities on what companies have been validated by third party, PCI-qualified security auditors to meet the PCI standards. You can use their Global Registry of Service Providers to search for any company by name. Any company that is touching your credit card data should be listed here. If not, inquire as to their status as a Service Provider.”
“Be on the lookout for unsolicited or suspicious emails, particularly with links or attachments included,” says Esler. “Ensure you know your network and where the external exposure points are, and that they are as secure as possible from external access. These points should be actively monitored for suspicious activity such as repeated login attempts using generic accounts like administrator or guest.”