Understanding the Evolving Culture of Cybersecurity: Are You Ready for an Attack?
Cybersecurity cases in the post-COVID world are spiking, especially since people are working from home. Our society is more vulnerable than ever before because we are more digitally connected than ever before. It’s critical to understand the latest security threats in order to implement solutions that mitigate risks.
In late 2018, cybercriminals collected the personal information of more than 500 million customers in Marriott’s network. The hackers unleashed a virus that infiltrated the hotel’s system through a downloaded email. The most disturbing fact? The breach went undetected for four years.
Hackers attack every thirty-nine seconds. In the wake of COVID-19 and the recent movement of working remotely, we can assume the frequency will increase in the coming months. Businesses must be prepared to react with equal or faster speed than the attacks.
Ask any IT expert—they will tell you that policies and procedures associated with cybersecurity are constantly evolving due to the nature of the crime. Companies need to make changes in relation to the creativity and curiosity of the attacker working on the other side of the network. That’s why we’ve curated the following essential information about current threats—to help you and your employees understand the latest cyber threats and how to defeat them.
THREAT 1: Phishing
Phishing involves a thread of malware (malicious software) that uses email attachments or counterfeit websites, under the guise that the sender is a trusted source, in order to obtain personal information such as bank account or credit card numbers. Once the attachment is downloaded or the website link is clicked, the virus attaches itself to computer hardware, servers, or networks for the sole purpose of causing damage.
You may view yourself as well-versed in these particular scams and scoff at those who fail to recognize a bogus URL or oddly worded subject line. But be warned. Phishing is a sophisticated scam that easily lures people in with mainstream topics, such as Netflix, Wells Fargo, or Hurricane Katrina. As quickly as an individual’s interest is piqued by a message concerning TV watching habits, bank accounts, or a love for the Louisiana coast, with one click, the system is compromised. The days of the Nigerian prince requesting financial aid are ancient history—phishing scams are far more difficult to spot today.
This year the coronavirus and the stimulus package have taken scams to a new level. According to the Federal Trade Commission, consumers have lost more than $144 million to fraudulent attacks, with more than 30,000 cases linked to online shopping. This may sound peculiar, but when you consider the difficulty of obtaining a bottle of hand sanitizer or a face mask in the spring, it all makes sense.
SOLUTION: Awareness (and Multi-Factor Authentication)
Firstly, awareness is the strongest weapon against phishing attacks. If you create initiatives to ensure people are aware of the risks, it’s more difficult for hackers to exploit them with phishing scams. Education and training are your best defense.
But, as a failsafe in case an employee does get tricked, you should ensure that an attacker needs more than stolen credentials to access any data. Multi-factor authentication (MFA) requires an additional piece of evidence when logging onto an account. This is extremely important for those employees who choose convenience over security by using a weak password. MFA requires individuals to provide proof beyond a username and password using something they have in their possession.
This could come in the form of a text message or an app that provides a specific code that expires in sixty seconds. Some companies may issue a thumb drive, token, or smart card that must be within range of the computer. In some cases, companies use biometric fingerprints, retinal scanners, or facial recognition tools.
Mandating multi-factor authentication may feel unnecessary, but the extra precaution could save businesses thousands of dollars. Of course, MFA doesn’t “fix” the issues of weak and repeated passwords, but it should be noted that a strong password doesn’t eliminate the need for additional authentication factors.
THREAT 2: Spyware
Spyware is a slightly different type of malware. Traditionally it’s a program that’s been installed on a computer without the person’s knowledge. It runs in the background, undetected, collecting data or website browsing habits. Much like phishing, spyware infiltrates through email attachments, file downloads, and even pop-up ads. But, more aggressive hackers use pirated media.
This is where remote working becomes a potential problem., Your own network might prohibit downloading games, videos, and music, but that is probably not the case for your employees. Many people who work from home will often use their personal laptops to access company files and data. One download from a gaming site may grant spyware access to track browsing history, record passwords, or collect credit card numbers. Suddenly everyone’s personal information in your company is up for grabs for identity theft, not to mention sensitive company data or confidential client projects.
SOLUTION: Company-Issued Devices and Anti-Virus Software
If at all possible, require employees to use company-issued laptops when working at home, versus their own personal devices. This alleviates challenges that may arise when an employee leaves. With a company-issued device, anything on that laptop is the property of the company. If an employee uses a personal computer while working remotely, there’s no way to know how much sensitive information is being downloaded to the hard drive.
It’s also easier for the IT department to support and fix any problems when all devices are consistently the same. Moreover, you can have confidence that reputable anti-virus software has been installed, as well as the latest operating system updates. Can you trust your employees to take the same action at home?
If that question causes anxiety, take it back to the basics. Let your employees know that an outdated system makes them an easy target. Educate your employees on the importance of anti-virus software. Remind them to avoid clicking unknown links and email attachments. They also need to pay attention to messages with uncharacteristic URLs, blurry logos, and noticeable grammatical errors. Make security awareness a part of your company culture.
THREAT 3: Ransomware
A trending vehicle for cyberattacks is ransomware. This malware installs itself onto computers, servers, and networks, rendering the hardware useless and holding data hostage until the hacker demands a ransom in exchange for the encrypted data. If management refuses to participate, most attackers leak the files publicly online or sell sensitive information to third parties.
Ransomware remains a growing concern. With the recent cyberattack on Garmin, and their decision to pay millions of dollars to secure their data, it’s clear that hackers have advanced beyond small businesses and are savvy enough to intrude on the sophisticated systems of Fortune 500 companies. The fact that Garmin paid the ransom poses another problem. The successful security breach is sure to incentivize more ransomware threats in the future. Proper procedures must be put in place to avoid devastating consequences.
SOLUTION: VPN, EPPs, and EDRs
IT departments and security teams will have a better chance of troubleshooting any outside source that might be jeopardizing the company’s level of protection if they have immediate access to the problem. A Virtual Private Network (VPN) creates an extra layer of security, particularly when dealing with vulnerable home networks.
VPNs allow users remote access from any location, which may increase productivity. Along with enhanced security, VPNs have secure data sharing features and can even manage personal computers should companies choose not to issue devices.
Companies can also deploy EPP (endpoint protection platform) and EDR (endpoint detection and response) systems that work to block ransomware and many other forms of malware. An EPP detects and blocks anomalies that indicate an attack, while an EDR actively looks for possible threats and tries to prevent attacks in real-time. Essentially, they’re defense and offense.
Cybersecurity Requires Constant Vigilance
Identifying the latest evolution of threats is crucial, and if companies take the necessary steps, the likelihood of a breach is low. The solutions listed can help prevent a variety of attacks, and when utilized together, they may help prevent all of them. Additionally, hiring a team of professional strategists to audit your system’s security posture is a smart idea. Surround your data with people who understand security technology and the culture of malware attacks.
The best way to combat cyberattacks is by educating yourself and your team members on new developments in the field. Identifying the latest evolution of threats is crucial, and if companies take the necessary steps, the likelihood of a breach is low. But it’s also important to surround your data with people who understand security technology and the culture of malware attacks. Leaders must take cybersecurity seriously. And we’re here to help.
Luis Laimer, DevOps Engineer at Theorem
Luis Laimer is an experienced security analyst with a career spanning more than 15 years. He is a former Certified Information Systems Security Professional and active speaker within the security and tech communities. Before joining Theorem, Luis was part of the global information security team at ThoughtWorks and worked as a security consultant in various fields spanning four different countries. He uses a practical and business-focused approach to enhance information security.
Joe McIlvain, Software Architect and Engineer at Theorem
Joe McIlvain is a Solutions Architect and Engineer, focusing on the design and implementation of distributed systems. He helps Theorem’s clients to challenge premises, identify costly problems before they happen, and execute quickly on solving some of their most challenging business issues. He joined Theorem in March 2015.