Recognizing and managing cybersecurity risk is an essential part of maintaining business operations and retaining the trust of clients, partner organizations and the public. Threats evolve, but these fundamental cybersecurity objectives can help keep your business protected and resilient against cyber-crime.
For many businesses, the mandate to secure valuable assets and data can feel overwhelming as they increasingly focus on digital adoption while the threat landscape continues to evolve in complexity—which can increase their potential vulnerabilities.
While there is no way for any organization to be 100% secure, adherence to core best practices and targeted investments in talent and technology can help strengthen defenses against persistent threats.
These three areas of focus are a good place to start.
Building and testing a comprehensive ransomware plan
Ransomware, a type of malware that blocks users from accessing their information until a ransom is paid, is a constantly mutating threat. While criminals often obtain data via ransomware to disrupt operations, they may also steal sensitive information, like intellectual property or personally identifiable information and threaten to release it publicly unless they are paid.
About a third of analyzed breaches involved ransomware, and 92% of industries considered it a top threat. Businesses should proactively prepare and test plans for ransomware responses, similar to disaster recovery planning.
Response plans involve the creation and testing of encrypted, offline backups of essential company data. Access to critical data and systems should be actively managed, provided only on an as-needed basis and subject to robust security controls.
During an incident, communication and established protocols are key to containment, protecting unaffected systems and recovery. Businesses should inform internal and external stakeholders and engage law enforcement.
Once businesses contain a ransomware attack, they can complete a forensic analysis and document remediation. Businesses can also create their own prevention measures and restore affected systems using their backups, provided they are un-corrupted.
Combating business email compromise
Business email compromise (BEC) is a type of social engineering where criminals send digital communications that impersonate known contacts to distribute malware through infected attachments, coax email recipients to visit infected sites or trick recipients into sharing confidential or proprietary information or access credentials.
This type of cyber-crime costs businesses billions in financial damage every year ($2.7 billion in 2024, according to the FBI’s IC3 Report). The best line of defense is trained employees who can identify and report suspicious activity, e.g., urgent or threatening language, unusual requests to change account information or hyperlinks that are different from legitimate domain names.
Businesses should inform their employees that while BEC tactics often change, they are still rooted in exploiting trust and making illegitimate email communications and requests look normal. Businesses can also reduce their risk by investing in email filters, which can help detect and redirect mail from spoofed accounts and flag atypical communications for further review.
Preparing against AI-assisted social engineering
Cyber-criminals are using AI to defeat security controls and processes and trick employees with increasingly sophisticated communications and social engineering tactics.
Educating employees about the risks of AI-powered social engineering is essential for every type of organization. Company leadership should emphasize that any employee with access to company systems is a potential target. Criminals can harvest publicly available information and then use AI to create social engineering communications or instruments that are extremely persuasive and inspire trust to deceive employees. This means businesses should also adopt processes that provide employees with the authority to verify unusual requests that come via text, email, phone and video conferencing.
Businesses can also deploy AI themselves to counter social engineering tactics. AI-powered tools can quickly identify and manage threats, scan for system vulnerabilities and respond to alerts.
Machine learning (ML) is a type of AI that uses algorithms and statistical models to process vast data sets. By training an ML algorithm to learn about “normal” communications, it can help pinpoint deviations that may identify social engineering attempts before they result in security breaches.
Technology will continue to reshape workplace practices. Staying ahead of the curve requires not only embracing new tools and platforms but also maintaining and revisiting a strong cybersecurity foundation.
Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.
Mathew Buchwald is Market Manager, Global Commercial Banking at Bank of America
