As organizations increasingly leverage cloud-based applications and look at another year of working from home, security professionals predict increased security threats in 2021 and cybercriminal activity. Some estimates have increased attacks during the pandemic at 400% or more. Global cybercrime costs are expected to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025.
What should you expect? Malware attacks, ID Theft, Ransomware, and Cloud-Based Network Attacks. We can discuss the employee behaviors and vulnerabilities that can trigger each of those attacks, but those are the most common criminal attacks.
For business leaders, it’s time to operationalize security — meaning weaving security practices and “mindfulness” into the daily actions and culture of the enterprise.
Malware attacks are any type of malicious software that’s installed on someone else’s device without their knowledge. They gain access to personal information or damage the device, or access the computer network for criminal intent.
Ransomware (more below) is a type of malware that prevents or limits users from accessing their own system or data and the business is forced to pay a ransom to regain the data or access to their own systems. A network attack attempts to gain unauthorized access to an organization’s network, with the objective of stealing data or to perform other malicious activity.
Social Engineering/ID Theft
Good old-fashioned social engineering, meaning someone emails or calls you and asks for your password or login information, claiming to be from IT — and you provide that info. Recently, this happened at Twitter where someone messaged a Twitter employee asking for login info, claiming they were from Twitter IT. Before you know it, the bad actor was able to hack into the Twitter accounts of Bill Gates, Apple, Elon Musk and Barack Obama.
A company like Twitter is spending millions of dollars on security software and security applications — and yet, all it takes is one bad actor talking their way into login credentials and you’ve got a data breach. Microsoft reports that social engineering attacks have jumped to 20,000 to 30,000 a day in the U.S. alone.
ID Theft is when someone uses another person’s personal identifying information, such as their name, identifying number, without their permission, to commit fraud or other crimes.
Cloud Based Attacks
Another vulnerability is the configuration of Internet applications. As businesses increasingly utilize cloud technology, it is important to validate the basic security configuration relative to access control and ensuring only the required permissions for use are applied, nothing more. An example is using a cloud-based file share as to share and collaborate on a document; the access and permissions for use should be controlled and not set to ‘everyone’ or otherwise broadly permissive. A recent real world example where an HR professional uploaded a document containing employee personal identifying info into a Dropbox folder that didn’t restrict access and was open to the ‘public.’ So you had PII, personal identifying info, that was accessible to any public entity that could find the open folder (and there are tools to scan and do just that).. You always need to configure access to only people who specifically need the access. Also, any access needs to be thought through from a security perspective, where security professionals implement:
- Implement strong password Use two-factor and/or Multi-Factor authentication (any secondary form of authentication such as a SMS text pin, a soft or hard token (some enterprises implement).
- Check and maintain your access controls and permissions over time. Update as required.
- Delete data/files when they are no longer needed. Don’t let them sit there in perpetuity.
Teams and people need to run their apps by their InfoSec/Cyber security team as an option; it’s tough for the security team to do their job and support everyone when they don’t have knowledge of or their arms around all the various apps being used in the enterprise. (pro-tip: One key tenant of cyber security is knowing about ALL assets, systems, apps and where data is stored, processed and transacted.
Phishing scams typically employ social engineering in traditional email and cloud services attacks. Phishing can result in Business Email Compromise (BEC), Account Takeover (ATO), credential theft, ransomware and other security breaches. Emails are typically disguised as messages from trusted individuals like a manager, coworker, or business associate to trick your employees into activating the enclosed malware or granting unauthorized access. According to the 2020 Verizon Data Breach Investigations Report, 22% of breaches involved phishing. Phishing attacks will continue to be carried out through cloud applications as well as via traditional emails.
Ransomware attacks have been a significant concern for businesses over the past several years. Ransomware’s success is largely owed to the relative simplicity with which an attacker can achieve devastating effects. Ransomware operators have devised innovative ways to spread rapidly, dodge security protocols and launch successful attacks on targeted companies and individuals. This is a major cause for concern since the effects of a single ransomware attack can be extremely damaging to small and midsize businesses, leading to exorbitant costs associated with downtime and recovery. Given their increasing sophistication, greater frequency and new targeted approach, it can be safely said that the cost of ransomware in 2021 will be much higher than in 2020.
Social Media-Based Attacks
Social media has frequently been the medium of choice for launching various types of cyberattack. We predict attackers are likely to transition from targeting individuals to targeting businesses in 2021. For example, cybercriminals might launch an attack by announcing a new product or a webinar mimicking a legitimate business. Once the user clicks on the registration URL, they would be redirected to a malicious website and driven to compromise personally identifiable information or credentials for multi factor authentication.
Inefficient verification and authentication practices further enable social media attacks to succeed.
Passcodes and Passphrase’s
Best practices on passcodes are always changing and there’s no one perfect answer. The National Institute of Standards and Technology is the best guidance for what people are thinking in terms of passwords – you can check it out at NIST.gov. Of course, using a secure application that stores all your passwords is also helpful so that your browser history is not storing your unique passwords (or worse, they are written down or stored in an unsecure spreadsheet). But that’s the real vulnerability — allowing your browser to store your passwords, which means your password may be exposed to the Internet and some browsers are less secure than others. In other words, you really don’t have any control. Ideally, you don’t allow your browser to store your password – and you use a secure application to store all your passwords, such as LastPass. Another technique is to utilize two-actor/multi-factor authentication. A service or application texts the intended user a special code and must input the special code to authenticate, which is a second layer of defense. Lastly, NEVER reuse the same password across business and personal accounts. Credential theft is a highly-prevalent vector and think about it; they get your creds (userid and a shared password) which could lead to not only broad unauthorized access, but your identity being stolen and possible company data loss or compromise. Don’t risk it!
Work-From-Home (WFH) Vulnerabilities
Working from home exponentially increases the security risk because of the larger number of variables. You have a greater number of device variables, in-home variables such as children, pets or even the mailman ringing the doorbell. People are accessing company systems using their own network devices and services which each device has security configuration variables; some not always configured by default to be secure. You also have an increased variable of access to the Internet outside of a corporate setting where specific security threat mitigation controls may be applied and managed. When working from home (or remote, say a hotel), people could be accessing the Internet in an open-access point where your web activity is open and visible to anyone else on the Internet or even a ‘man-in-the-middle’ whereas a malicious actor has setup a WiFi Access point to intercept and monitor wireless network connectivity. Being aware of these variables is really important; being mindful of potential vulnerabilities and threats can reduce the likelihood you will be caught off guard (which is EXACTLY what social engineering tactics seek to achieve).
In a nutshell, criminals are looking for any point of entry which includes you (the person), to steal your data. In a corporate context, Cybersecurity and protecting ourselves in our cyber-enabled world is a company-wide team effort, not just the responsibility of the info security team. Security-minded individuals can make a positive difference in how they work, their vigilance to cyber-threats and simply being aware that the internet, apps and tools we use everyday to enable our productivity are good but like just about anything, they can also be vectors for nefarious actions and outcomes if we do not pay attention. Even though companies spend millions of dollars on security, you’re only as strong as each employee in the organization. If the employees are not trained and not on guard, you’re completely vulnerable to an attack.
Learn more about Cyber Security and how your employees can act as a human firewall to prevent cyber attacks in Emtrain’s Cybersecurity course. You can also listen to my talk on Emtrain’s Linkedin Live segment, Always Learning.