Raja Pradeep Jayamohan is co-founder and director of AUP IT, an independent, vendor-agnostic professional services and consulting organisation. Their principle areas of focus are – CIO as a Service, Cybersecurity and outsourced IT support.
Cybersecurity is an important topic for all business. There has been so much news lately about banks, corporates and government institutions getting hacked and their information is stolen or encrypted by hackers. What a lot of people don’t know is, that a lot of these cyber attacks are the work of organised criminal gangs acting at a global level and adept at exploiting vulnerabilities to cash in!
According to Cybersecurity ventures, in the next two decades, cybercriminal activity will be the biggest challenge that humanity is going to face. They state that by 2021 cybercrime will cost the world $6 trillion annually, up from$3 trillion in 2015. Cyber attacks continue to grow in size, cost, and sophistication. By 2022, cybersecurity ventures predict that there will be 6 billion users and by 2030 more than 7.5 billion users. This means that an increase in users will also lead to a major increase in cybercrime (Morgan, 2017).
Microsoft security also estimates that by 2020, the number of people online will be four billion, fifty billion devices will be connected to the internet and the data volumes online will be 50 times greater than today. This will greatly increase the risk of malicious attacks and exposure to security (The Emerging Era of Cyber Defense and Cybercrime , 2016).
In terms of cybersecurity, there are a lot of topics to talk about. Here we will focus on Ransomware, Phishing and Social Engineering attacks.
What is Ransomware?
Ransomware is a type of malicious software designed to block access to a computer system or files stored on a computer. The hackers typically demand a sum or ransom to be paid to unlock these documents hence the term. In the past few years, the number of attacks has increased exponentially both in terms of scale and level of sophistication.
In 2015 these attacks cost $325 million for businesses worldwide, and experts predict this number will reach $11 billion by 2020. Here are some interesting facts:
- Over 4000 ransomware attacks occur every day.
- Nearly 60% of ransomware attacks are delivered through email as embedded URLs.
- Consumer infection rates are on the decline.
- The biggest ransomware targets are small and medium-sized businesses. Ransomware works by encrypting important data and “selling” it back to its owner
- For retail businesses, ransomware is the second largest cybersecurity threat.
How do you protect yourself from malicious actors?
There are numerous steps to ensure cyber-hygiene (to coin a term).
The first of these steps is an audit or review to understand the risks and potential impact of these risks.
The next step is to put together a plan for mitigating the risks thrown up during the audit process. Some examples of a risk mitigation approach would be:
- Have a clearly articulated IT security policy
- Ensure firewalls and internet gateways are secure and up to date
- Ensure all devices that connect to the network have business grade anti-virus and anti-ransomware installed
- Ensure that staff are trained to recognise potential threats and report them to IT.
What is phishing?
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication (Wikipedia, 2019).
This is deceiving users into doing something via email, enabling the attacker to hack a target. BEC (business email compromise) attacks have now become more sophisticated and their numbers have gone up extremely in recent years.
Currently, 50% of phishing sites are now using HTTPS as an attempt to “legitimise” their phishing attempts. Not all phishing attacks are necessarily the same as some are more sophisticated than others and cybersecurity experts say that spear phishing, in particular, is on the rise. Researchers found that 83% of spear phishing attacks are brand impersonations of organisations that users are familiar with and trust (Keck, 2019).
In the year 2017, 76% of businesses were victims of phishing attacks unlike before, where they targeted consumers. According to (Kirolov, 2015) an average large company (10,000-employees) spends $3.7 million a year dealing with phishing attacks and half of these costs are due to productivity losses.
How to protect yourself from phishing attacks?
Various steps can be taken to protect and avoid phishing attacks. Some of the proactive steps you can take include:
- Enforcing two-step verification or multi-factor authentication
- Raising employees security awareness by training them on how to identify phishing and how to handle it appropriately.
- Security tools must be used like antivirus software which will protect your system and device from the malicious software that is continuously growing and spreading via phishing emails.
- Do regular backups and keep a copy of backups off-site.
- Trust but Verify. Where possible contact the people you do business with to verify if the email sent is legitimate.
- Do not enable macros in document attachments that are received via email.
Social Engineering Attacks
What are Social Engineering attacks?
This is where attackers use human psychology rather than technical hacking methods to gain access to networks, systems or physical locations. Nowadays, it is the preferred tactic among attackers in the hacker community because it is easier to exploit your natural inclination to trust than it is to find ways to hack your software.
Social media and how we tend to overshare provides the majority of the information that hackers need free of charge. Through social media, hackers can learn routines, patterns of behavior and contacts, they can also acquire answers to security questions that are used to authenticate or reset passwords.
In the past 5 years, medical identity theft has nearly doubled from 1.4 million adult victims to over 2.3 million in 2014. 88% of cases reported saw personal data as the stolen assets. The average time an attacker takes to get the first victim is 82 seconds.
How to protect yourself from Social Engineering attacks?
Social engineering is not a new threat and it is becoming a go-to for the hackers. Although there is no science or appliance that can fully protect against social engineering attacks, preventative measures can be taken which include:
- Securing your computing devices by keeping your antivirus/anti-malware software updated.
- Using multi-factor authentication on devices and critical applications
- Being cautious of email offers that are too tempting.
- Trusting but Verifying.
- Training should be provided to everyone in the organisation.
In conclusion, given the significant business and economic impact, organisations should become more cyber-resilient. Organisations should get input from IT professionals which will enable them to prepare and prevent these attacks. They should acquire, develop and retain key talent and learn how to align their cyber team in line with business risks.
If your company doesn’t have an IT policy or your team don’t use the best IT security practices, you could be at risk. AUP IT can help you with the best solutions for cybersecurity, contact TrinityP3 to discuss an IT Consultation