Imagine you get a social-media message from a trusted friend asking for help with a cause — like helping Ukrainian war refugees, or helping hurricane victims. “Just go to this link,” the message says.
Only it’s not your trusted friend, but an internet scammer. And instead of going to the site of a reputable charity, you’ve given the scammer access he can use to steal information, raid bank accounts or disable your computer — or your company’s network — until you pay a ransom.
Amid the Russian military invasion of Ukraine, cybersecurity experts are on high alert for an increase in scams and cyberattacks, said Zach Eikenberry, co-founder and CEO at the Lakeland-based cybersecurity firm Hook Security Inc.
“With any big issue or tragedy that comes up, there’s going to be a number of scams that immediately hit the market,” he said. “Unfortunately, there are professional scammer organizations, and they wait for these kind of things.”
There are about 30,000 cyberattacks daily in the U.S., and that equals 30 million cyberattacks annually, “among the most common crime globally,” according to a Hook Security blog. The “phishing” scam described above, in which a scammer disguised as a trusted friend or company tricks someone into giving them critical access to their network, is among the most common
And there is a shortage of the good guys. An Information Systems Security Association International report in July 2020 said 70% of organizations are impacted by a shortage of cybersecurity professionals.
This leads to “security professionals suffering from excessive workloads, inappropriate skill levels, high turnover and an acute shortage especially in the areas of security analytics, application security and cloud security,” the report said.
‘A bull in a China shop’:Audits have not been kind to leader of Polk business incubator plan
Co-working space:COhatch planning a new workspace in Downtown Lakeland, a sign of post-COVID times
‘For the high-rollers’:Florida lottery now has a $50 scratch-off game. Who’s buying?
Businesses on high alert
In February, before Russia invaded Ukraine, an FBI report obtained by Newsweek magazine called on the U.S. private sector to be prepared for potential state-sponsored cyberattacks to be launched by Russia.
In March, President Biden also warned of cyberattacks in posts to the White House and U.S. Cybersecurity and Infrastructure Security Agency websites. Those websites also post resources to combat misinformation campaigns, another form of online manipulation.
“Russia is going to try to interrupt and disrupt the U.S. economy and other western state economies, and they are going to do that through a number of things,” Eikenberry said.
“You are going to see an increase in what are known as phishing attacks, or fake emails, where they try to get someone to click on something,” he said. “They try to get your credentials, then try to get someone to download something because their whole attempt is to flail and punch back against things like sanctions.”
Hook Security’s primary offering is training for employees of companies that provide information technology services to other companies, or managed service providers.
“Companies, largely managed service providers (a contractor that remotely manages IT services for another organization) engage with us to train their employees to recognize manipulation and also to achieve certain levels of compliance with their organization,” he said.
Among Hook Security’s customers is Sittadel, a computer and network security firm in Lakeland. Co-founder and Chief Technical Officer Joshua Sitta manages computer systems for doctors and lawyers in Central Florida, protecting patient HIPAA privacy regulations and attorney-client privilege.
He understands the threat from Russia amid economic sanctions, which he recalled were similar to the backlash anticipated after the U.S. began imposing sanctions on North Korea for its nuclear missile tests. At that time, he was employed at a Lakeland-based bank to protect its digital infrastructure and customer accounts.
“What is a nation-state going to do when they are losing GDP just for existing? They are going to turn to their cyber-weapons to try to steal from an enemy to try to recover that loss of income,” Sitta said.
Citing corporate boycotts such as U.S. burger and coffee companies shuttering outlets in Russia, he said, “This has never happened before, so Russia is being squeezed harder economically than any country ever has in the middle of a conflict.
“So they’re naturally going to turn to cyberactivity to recoup that,” Sitta said.
The Cybersecurity and Infrastructure Security Agency recently provided a “Shields Up” advisory with domains known for launching CONTI Ransomware (developed by a pro-Russian organization that pledged to retaliate against any U.S. cyberattack). But that notification doesn’t mean much to the average business owner, he said.
“So we have to figure out what we can do to support people who don’t have any idea what a cybersecurity program looks like,” Sitta said. “That’s where a company like Hook Security can add a lot of value.”
Hook Security, which was incorporated in 2019 in Delaware, was nominated for the third annual Entrepreneur of the Year Award held Jan. 12 at Catapult Lakeland, where the firm maintains an office. The company was recently accepted into Tampa Bay Wave’s inaugural CyberTech, X Accelerator program, which focuses on growing businesses in the cybersecurity space.
The company was named a High Performer in the spring 2022 G2 Grid Report, which listed Hook Security as No. 1 in several categories, including: easiest to do business with, best support, fastest implementation, best estimated return on investment, and highest user adoption.
The company employs 10 people across the United States but expects to grow once additional venture capital funding is secured, which is anticipated within 60 days to six months, Eikenberry said.
‘She knows the risk; she may be killed’: Lakeland woman refuses to leave Ukrainian village amid Russian invasion
‘It can literally save someone’:Florida Southern helps Ukrainian student collect supplies
Novel training approach
An employee at a company might be stricken with a paralyzing fear worrying whether they will be vilified if they unsuspectingly open a questionable email that halts the company’s servers. That fear can impact productivity and employee stress.
Hook Security tries to overcome those fears. They focus on training employees in a way that ensures psychological security comes first. This is the firm’s niche: looking at cybersecurity in a way that is positive and holistic.
Hook Security is a “cybersecurity software company,” Eikenberry said. “We train people to recognize threats and manipulation. We are the next standard, the next generation of training experiences.”
By making sure employees feel safe within the workplace, companies can equip them with the necessary tools to identify cybersecurity threats and come forward with concerns.
Hook Security can also be thought of as a “psychological and behavioral science startup,” the company said. Its training is designed “to help companies establish policies for email and provide on-demand fake social engineering cyber-attacks on employees” to help workers avoid falling victim to an attack.
The platform offers online security awareness training, phishing testing of employees to determine their preparedness for attacks, actionable reporting of security threats among other data reports and psychological security of employees.
“Psychological Safety” is a well-established field of research that has been around for almost 100 years but is relatively new in business fields. The term is applied to psychologically safe corporate cultures.
“Cybercrime wins when there is dysfunction,” Hook Security co-founder Adam Anderson said. The premise of Hook Security’s vision starts on a foundation of effective communication, understanding of the organization’s mission, employing people skills and practicing conflict resolution.
When these things are in place, the practical implementation of cybersecurity training can take place, the company said. “Emotional intelligence should come first in any workplace.”
“If your employees are unhappy and under-equipped to deal with cyber threats, you may find that a threat comes from within; revenge cyberattacks are on the rise. And the downside of not having security awareness training — your entire business is under threat,” Eikenberry said.
“The first thing an organization needs to do is look at its culture. We have to deep dive into emotional intelligence and leadership,” he said. “When you decide something is important to change, you need to learn how to lead through that change.”
The firm identifies three pillars in cybersecurity, Anderson said: “Address psychological security in the core system, address the human beings inside an organization and learn from the mistakes we made during the birth of the internet age.”
Cybersecurity awareness tips
In many ways online scams are the same now as they were when the internet was first launched. The Federal Trade Commission offers the following signals often contained in scams:
- Scammers pretend to be from an government agency, organization or charity you know, by masking with a false identity or using soundalike names and spellings.
- Scammers say there’s a problem or a prize. They might say you owe money or you’ve won a lottery.
- Scammers pressure you to act immediately before you have time to think, or threaten you with arrest, loss of a license or deportation, or say your computer is corrupted.
- Scammers tell you to pay in a specific way, through a money transfer company or putting money on a gift card and then giving them the number on the back. Or, they send a check, have you deposit it and then send them the money.
There are multiple federal agencies that can be contacted if an individual believes their computer is experiencing a cyberattack, from the FBI to the Secret Service. However, if a person could be potentially harmed by the attack, residents should dial 911 to report the incident.
Paul Nutcher can be reached a PNutcher@gannett.com.