A silent, insidious pandemic wreaking havoc worldwide — its effects felt everywhere. Financial losses amounting to well over one trillion dollars. Governments are helpless against it. The best hope for defense: individual awareness, good safety practices, proper digital hygiene.
Yes, digital—we are talking, after all, of the cybercrime pandemic.
Last month, a ransomware attack disrupted US fuel supplies, impacting several states and prompting a worldwide hike in oil prices. This high-publicity attack compounds a trend over the past year and a half that has seen a sharp increase in cyberattacks targeting small and large businesses alike.
What is behind this new wave of cybercrime? Let’s take a look at the main causes and what you can do to protect yourself and your business.
Hackers and social engineers
When you think of hackers, your mind may conjure up a hazy image of a nerd typing away on a keyboard to “hack into the mainframe”.
Amusing as it may be, this movie trope is misleading — for two reasons. First of all, most hacking attacks are not the fruit of a single individual’s actions but rather the combined effort of an organized group operating as a business model.
Second, the large majority of hacks target people, not systems. Rather than “hacking the mainframe”, the attacker allows the victim to help them. He tricks them into giving up information, or installing malicious software that will then steal their data. The victim is the security flaw.
Or rather: you are the security flaw. You will be targeted. And you need to defend yourself.
Like the Wild West, the internet is a vast, unregulated space, and threats lurk everywhere. In this self-help world, your best bet is constant awareness and good security practices.
How attacks happen
You sleepily open your inbox while sipping your day’s first cup of coffee — another monotonous day working from home. Then, your eyebrows shoot up and your eyes widen. No longer sleepy, you open that urgent email. Your company suffered a cyberattack. Crucial data was leaked. There’s a list of employees whose personal accounts were also hacked.
Click here to check.
And… congrats, you just got yourself social-engineered. Or, if you prefer — hacked.
With access to your system, the attacker can now freely scan your data. Perhaps you have something worth stealing. If he is lucky, you may have been accessing company systems through your personal computer — which is likely since you’re working from home — and now the attacker gains access to all kinds of precious data.
The next day, computers across your company have been infiltrated, key data has been encrypted, and attackers are demanding a not-so-small fortune in return for the stolen files.
Another ransomware attack caused by human failure. If only you knew.
Why working from home facilitates attacks
It is no coincidence that the uptick in cybercrime comes at a time when the coronavirus pandemic has forced half the world into distance work and so, remote work opportunities abound. More than ever, employees are accessing corporate networks, systems, and data on their personal devices. Many find it quite convenient.
But without the usual layer of company firewalls and access restrictions, your personal devices are inherently unsafe. Add to that the fact that most people are downright lazy when it comes to online security — besides tending to be more relaxed and less aware when sitting in the comfort of their home — and you have a recipe for disaster.
The good news is, by knowing what the main threats are and implementing a few simple and easy security steps, you can radically diminish the chance of becoming a victim.
Understanding the most common attack
As cyber expert Megan Stifel says, “In most cases, ransomware evolves from a suspicious email”.
This is the scenario we considered above. Commonly known as “phishing”, fake email attacks are the single most dangerous threat you need to avert.
Granted, many of them are easy enough to spot — check your Gmail spam folder and you are sure to find all kinds of messages supposedly from your bank, the FBI, an old friend, or someone warning you that private pictures of you were exposed online. Those are the easy ones.
Others though — so-called “spear-phishing” — or personally targeted attacks are quite sophisticated.
As you browse the web, you leave behind you a trail of information — data that is often easily obtainable and can be used against you to create an impression of trustworthiness.
An email from “your bank” may contain the last four digits of your credit card. An email from “a work colleague” can use a colleague’s actual name and also drop the names of several other company members to boot. Your birth date, your university, your previous job, it’s all floating around the online world. While not sensitive in itself, this is the knowledge that attackers will eagerly exploit to get you to click that link.
Another common theme in these attacks is urgency. The attacker wants you to click unthinkingly because something needs to be done quickly. Whenever an email startles you, suspect it.
Best security practices
A few good practices can make you safer than 99% of individuals or businesses.
- Suspect ANY unexpected email that requires you to download an attachment or click a link. DON’T click or download before making sure the request is legitimate.
- Keep your software up-to-date. Updates are annoying, sure, but they keep you safe by patching security failures that hackers will use. Don’t delay them.
- Don’t be lazy with passwords. Most people use passwords that are too short or include info that can be related to you (birth dates). Go to Diceware and create randomized passwords for all your key accounts, or use phrases including numbers and symbols for your passwords. Write down your passwords in a physical notebook and keep it safe.
- Use a different password for each account. Low-security systems are easily breached, and hackers will use your password from leaked, unimportant accounts to try and gain access to things like your email, social media, or company account.
- Use reliable, updated antivirus software. Even if you click a malicious link or download, your antivirus software may catch it and alert you in time.
- Create a different computer user for all company-related stuff. Have three different user accounts: one with admin privileges that you never use. One that you use for personal stuff. And one exclusively for work. This adds an extra layer of security to sensitive work content even if your personal account gets infected while you browse the web.
- Activate two-factor authentication for your main accounts so that anyone accessing them from a different device will need to first enter a confirmation code sent to your email or phone number.
- Avoid working on public Wi-Fi. Anything you send or receive through the internet can potentially be accessed by the network admin.
- Consider doing a security audit for your online information, including social media, and removing as much of it as possible or making sure it’s only available to people you know.
- Use a password-monitoring system such as the ones offered by Google Chrome or Avast, so you get to know if any of your passwords have been leaked on the Deep Web — this happens more often than you think.
There are three things you can do to dramatically increase the security of your company data.
Restrict access to company data
This is quite simple: follow the “need-to-know” principle, where knowledge and data are shared only when necessary. Another thing that Kevin Mitnick, the legendary social-engineer-turned-security-expert recommends, is classifying all information according to its importance and sensitivity. The classification can then be used as a basis for employee access.
Make sure your people follow security practices
Organize mandatory training and awareness programs and ensure everyone in your company is aware of cyber threats and implements the above-mentioned security practices while working remotely.
Use data room software
Corporate management software and data rooms offer a much greater level of security while working from home. While essentially platforms for communication and data exchange, they come equipped with security-oriented resources that can make all the difference in protecting your company from cyberattacks.
In a data room, you can:
- Set data to automatically back up to the cloud, helping to protect yourself against ransomware attacks
- Classify files according to their sensitivity level and grant access to users on a need-to-know basis.
- Monitor who viewed or downloaded any file and when. It is notoriously hard to notice data thefts until it’s too late, but with this function, you are much more likely to realize what’s happening in real-time.
- Prevent downloading, copying, or screenshots of company files.
- Use encryption for communication, such as video conferences, and transferring files. This prevents someone controlling an employee’s Wi-Fi network from accessing your data.
- Set automatic timeouts for platform access. If an employee leaves the platform open on their computer, they’ll be automatically logged off after a set time.
- Remove user accounts of former employees.
Data rooms are also particularly useful during critical M&A processes, ensuring data security through and through.
If you are serious about defending your company from cyberattacks, prevention is key. Don’t fall into the trap of thinking it won’t happen to you — it never does until it does. Cybercrime is profitable, and it’s set to increase even more. Now is the time to take steps to secure yourself, your company, and your employees.