Chapter 1: The Threat
The rate at which Cyber attacks are growing is astonishing. In 2016, McAfee labs estimated Cyber attacks were running at about 400,000 per day. Only a decade earlier, it was just 25!
A billion personal records are now stolen each year, degrading trust in the organisations victimised, and in the internet itself. The scope of cyber attacks has broadened exponentially too. Where once individual retailers or banks were targeted, now entire supply chains, financial networks, and stock markets may be targets, potentially affecting the integrity of international financial systems, or the GDP of an entire country.
Small and medium-sized enterprises (SMEs) like yours and mine are a popular target for hackers and ransomware because we tend to have fewer resources available to battle cyber security than large organisations do. Over 150,000 U.S. SME websites are infected by malware at any one time, and have been involved in nearly 45% of all data breaches. It's fair to say the numbers are unlikely to be better internationally.
Many SMEs falsely believe they're too small to be targeted. If thatās what you think, remember this ā even a 'smaller' ransom of a few hundred dollars is still highly profitable for cyber criminals. Remember, they are targeting large numbers of SMEs.
As a director and/or owner of a business, you know you have a legal and moral responsibility to clearly understand how you are protecting your business, customers, and staff from online risks., e.g. harassment, copyright/IP usage, customer data privacy, improper material being sent or received. However, thatās not all. Financially, European Union courts can hit you with a fine of up to 4% of your total revenue for a data breach involving their citizens, regardless of where your business is based!
If thereās one thing that you should keep in mind when thinking about internet threats, itās this: assume that you WILL get attacked at some time. With that in mind, you need to be very clear on governance in your business, i.e. who is responsible for your businessās cyber security? You need to ensure you have a very clear policy on escalation when there is a cyber issue, and when to call in external entities, e.g. law enforcement, lawyers, PR, I.T. security firms, etc.
Many businesses neglect this, but if you use third party vendors for your critical systems or supply chain, then you also need to assess the cyber risk factors associated with these vendors. This may be challenging to do, but even a rudimentary audit should catch the most glaring issues. If your company is unable or unwilling to do it yourself, then you can use a company like CyberGRX to audit your third party vendors. If a supplier is unwilling to provide this information, then it is worth your while to rethink whether you want to be in that business relationship.
The rise of the mobile workforce has made it challenging for I.T. teams in larger enterprises, let alone SMEs, to protect data that is created outside of the businessās firewall. Simplifying data protection for laptops and mobile devices begins with providing backup to your mobile workforce, and giving I.T. one place to manage all of your business deviceās data protection needs, regardless of whether it is a business supplied device or a personal device used under a Bring Your Own Device (BYOD) scheme.
An increasing area of threat for SMEs is the Internet of Things (IoT). As IoT devices are always connected and always on, they go through a one-time authentication process, making them perfect sources of infiltration into an organisationās network. As a result, these IoT gateways need to be better secured to improve the security of your overall business cyber infrastructure.
There are software tools such as WhiteOps that monitor the network data flow, identify malicious bots, flag suspicious files, and analyse them for destructive or malicious intentions; invest in them. These may seem like small measures, but they play a big role in the overall IoT security strategy.
If all else fails, at least be prepared for potential security breaches. Eventually, they will happen, to you or someone else (preferably a competitor who hasnāt read this book). Always have an exit strategy, a way of securing as much data as possible, and rendering compromised data useless without wrecking your I.T infrastructure. You should also educate customers, employees, and everyone else involved in the process about the risks of such breaches. Instruct them on what to do in case of a breach, and what to do to avoid one. Employees (in particular any employee that touches data), should take a cyber-awareness course to increase their awareness of the risks, and to improve the cyber security of your business.
Of course, a good disclaimer and Terms of Service (TOS) will also help if you end up dealing with the worst-case scenario.
Before we jump into the various strategies to help keep you safe and secure online, I need to give you a better idea of the threats you face online. The online world is full of various terms relating to the nefarious acts of online neāer-do-wells out to do you cyber harm. You will come across these terms on the news, while surfing, or just in conversations with friends and colleagues. This is what some of them mean.
Viruses
Viruses are harmful computer programs that can be transmitted in a number of ways. Although they differ in many ways, all are designed to spread themselves from one computer to another through the Internet and cause havoc. Most commonly, they are designed to give the criminals who create them some sort of access to those infected computers.
Spyware
The terms "spyware" and "adware" apply to several different technologies. The two important things to know about them are that:
- They can download themselves onto your computer without your permission. This typically happens when you visit an unsafe website or by way of an attachment
- They can make your computer do things you don't want it to do. That might be as simple as opening an advertisement you didn't want to see. In the worst cases, spyware can track your online movements, steal your passwords, and compromise your accounts
Botnets
Botnets are networks of computers infected by malware (computer virus, key loggers, and other malicious software) and controlled remotely by criminals, usually for financial gain or to launch attacks on websites or networks.
If your computer is infected with botnet malware, it communicates and receives instructions about what itās supposed to do from ācommand and controlā computers located anywhere around the globe. What your computer does depends on what the cyber-criminals are trying to accomplish.
Many botnets are designed to harvest data such as passwords, social security numbers, credit card numbers, addresses, telephone numbers, and other personal information. The data is then used for nefarious purposes such as identity theft, credit card fraud, spamming (sending junk email), website attacks, and malware distribution.
Phishing
To summarise Wikipedia, āPhishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising oneself as a trustworthy entity in an electronic communication.ā The word sounds like fishing due to the similarity of using bait in an attempt to catch a victim.
According to research by Verizon, about 30% of phishing mails get opened, while approximately 11% of attachments in these emails also get opened. The average marketing email gets opened less than 1% of the time. How the villains behind these emails are getting this level of open rate should be the subject of a case study on marketing! There appears to be a clear mismatch between the false confidence people have over their ability to spot a phishing email, and reality. Interestingly, according to a Webroot survey, fully 79% of people claimed they would be able to distinguish between a phishing message and a genuine one, but then nearly half (49%) also admitted to clicking on a link from an unknown sender. A further 48% said they had experience of their personal or financial data being compromised by a phishing message. This level of hubris is what leads to bad outcomes for people at a personal and professional level. Thatās why I wrote this book, to help you combat this.
Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to a legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors, or IT administrators are often used to lure victims. Phishing emails may also contain links to websites that are infected with malware.
The emails cyber-criminals send often urge you to act quickly, because, for example, your account has been compromised, your order cannot be fulfilled, or some other seemingly logical reason.
Two other types of phishing attack that are gaining in popularity are Zombie Phishing, and the use of URL shorteners. Zombie Phishing happens when attackers take over an email account and reply to an old email conversation with a phishing link. Because both the sender and subject are familiar to the recipient, the recipient is more likely to accept the email as being genuine.
URL shortening is a service provided by companies such as Bitly or TinyURL. These services allow users to shorten really long URLs, typically to blogs, offers, etc., so they take up less space. You may have seen URLs that look like this example of URL shortening: https://tinyurl.com/m3q2xt. These links are rarely blocked by URL content filters as they donāt reveal the true destination of the link. Also, users who are generally vigilant and wary about suspect domain names might be less likely to identify a shortened link as malicious.
While email is still the number one form of phishing attack, cybercriminals are also using a variety of other methods to trick their intended victims into giving up personal information, revealing login credentials, or even sending money. Increasingly, phishing involves SMS texting attacks against mobiles, or the use of messaging on social media and gaming platforms. The first half of 2019 alone saw a 50% increase in attacks by mobile banking malware compared to 2018. This malware ...