There is increasing evidence that jewelers and other sellers of high-end goods are being targeted by cybercriminals, Jewelers’ Security Alliance president Jennifer Mulvihill tells JCK.
Cartier and Christie’s have both been hacked, and Mulvihill—who is also an adjunct assistant professor of cybersecurity at Hunter College—wouldn’t be surprised if other luxury houses get hit.
“Every company is a target,” she says. “Everybody has data. Don’t think that just because you’re not a hospital or a financial institution, you don’t have something these threat actors want.”
Cybercriminals are “moving away from some of the familiar targets and they’re moving to more unusual spaces,” Mulvihill notes. “The last time the retail industry was hit was 2013, 2014. There were massive data breaches at Target and Home Depot. That was 10 years ago, so it’s time.”
She adds that sometimes “smaller retailers are more attractive to these gangs, because even if they don’t have high-quality data, they have less protection.”
The biggest threat comes from a gang, believed to be based in the United States, called Scattered Spider, which typically hacks companies with ransomware. Its members are fluent in English, so they can impersonate senior executives in ways that might fool even tech-savvy workers.
“They look up online who the IT people are, and who the CFO is,” Mulvihill says. “Then they call the IT desk support and try to trick the IT department into changing the passwords or resetting the account. They often say that it’s urgent and time-sensitive. These IT folks are nervous—if it’s the CFO calling, they have to do it.”
Artificial intelligence has made these crews more efficient, says Mulvihill.
“With AI, they can scale their resources, and compose better emails that sound very authentic,” she says. “It lets them learn the specific tone of the individual that they’re targeting.”
If this all sounds scary, tha’s because it is, Mulvihill says.
“This is the threat actors’ full-time job, so we’re at a disadvantage,” she says. “But we haven’t lost this battle. The good news is the cybersecurity community has so much more information now than we did in 2013.”
She advises jewelers to take advantage of “proven defense strategies and tips and best practices.” Among them:
– Beware of phishing emails.
These are messages that impersonate either a company you do business with or a business colleague. They aim to have you click on links that lead to pages where you either enter your password (which is then stolen), or your computer gets infected with malware.
“Any email that looks suspicious, or has a link in the body in the email, take your mouse and hover over the link,” Mulvihill says. “Make sure you look at grammar and punctuation. Bad grammar is a sign that it may be coming from an illegitimate source.”
Another red flag: a sense of urgency.
“If you get an email from your CFO that money needs to be transferred now, be careful,” she says. “One of your best defenses is just picking up the phone, and calling and verifying.”
– Train your employees regularly.
“Cybersecurity is everyone’s problem,” says Mulvihill. “Ensure that online training is required.”
Ideally, training should be done in-person, but if that can’t happen, she calls KnowBe4 a good online training platform.
– Use multi-factor authentication.
Mulvihill acknowledges that multi-factor authentication (MFA) can get annoying—leading to “MFA fatigue”—but says it should still be required every time an employee logs in.
“It just checks you are who you say are,” she says. “It gives you authorization to access those files.”
– Have a strict password policy.
“It’s important to change your passwords regularly every three months,” Mulvihill says. “Make sure they’re complicated. Have a policy that dictates employees can’t use repeat passwords.”
She advises people to get creative with passwords and try to make them memorable, perhaps using a lyric of a song that you like. She adds that if you have trouble remembering your passwords, use an encrypted password manager.
– Back up your data to the cloud.
If your computer is infected with ransomware but you’ve used the cloud, you’ll be able to retrieve your data without paying the hackers.
“Threat actors have a very short attention span,” Mulvihill says. “If you say you have backups, they’ll just move on.”
– Keep your software upgraded.
“It’s expected that there will be vulnerabilities in any software,” Mulvihill says. “If you get a request to add a patch, do it.”
– Stay informed.
According to Mulvihill, some of the best information on cybersecurity comes from the U.S. government. In particular, she recommends looking at the resources available from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and the FBI.
(Photo: Getty Images)
Click Here For The Original Source.
