Please allow me to take you back to November 24, 2014. This was the day that a group called “Guardians of Peace” (GOP) released personal information about employees and family of Sony Pictures, emails, salaries and copies of unreleased projects. Numerous articles put the loss to Sony Pictures in the neighborhood of $15 Million directly related to the “hack”. While a company as large as Sony Pictures can probably absorb that hit, what about a small business that averages under a Million dollars a year? If hackers were to expose their emails, financials, proprietary information or other data would the small business owner be able to recover?
Because of the risk, Cybersecurity is one of the fastest growing career fields. According to research from the Enterprise Strategy Group 46% of organizations report a shortage of applicants with cybersecurity skills they need. Cybersecurity professionals are needed in every market and support every size of business. While we at FAI International are not Cybersecurity professionals at this time, we are fraud prevention professionals and cybersecurity is a growing area in our field. We view our role as that of an educator for you, our customer and a resource should you or your business fall victim to a hack.
At this point we should all know what Cybersecurity is. However, if you do not, and for the purposes of this paper, Cybersecurity is defined as the “protection of computer systems from theft or damage to their hardware, software or data as well as a misdirection of the service(s) they may be providing”. Cybersecurity is important for a number of reasons. We are increasingly reliant on the Internet. If you do not think so, just watch how “freaked out” people get when it goes down. We are also reliant on computer systems, wireless networks, Bluetooth connectivity and the use of our “smart devices” (see our white paper and video series on the Internet of Things) such as phones, televisions and automation systems. All of these systems allow us to communicate with others and perform work processes that move our economy.
How are the “bad guys” hacking into our computer systems? They are using a series of schemes that is growing on a daily basis. However, here are a few tricks they are using to get you to turn over the keys to your computer or network.
Most computer systems or networks have a back-door access. This can be a default password on a router or operating system. Oftentimes, thanks to the manufacturer of these products these default passwords are possibly readily available on the internet for anyone that can spend the time to figure out what device you may be using and play around with passwords until they find one that works. Think about the key ring you may have for your office building or home. All it takes is for someone to locate that key ring and start testing keys in the lock to see which one is going to open the door for them. These types of attacks often lead to Denial of Service (DoS), which are a real hassle to users. The hacker will try numerous passwords, user id’s, etc. in an attempt to access your information that it may cause the site to block entry. This causes the user to have to reset passwords and login phrases.
You may have heard the phrase “phishing” and may not be familiar with what it means. Well, it sounds just like “fishing” which is exactly what the hacker is doing. The hacker may send an email from what appears to be your banking institution asking you to change your password. When you go to enter your current password, the site is keylogging your strokes and recording the password you are entering. They are baiting their hook and waiting for the fish to strike. The hackers still use this scheme, or something similar but have upgraded it considerably. Do you ever see these survey’s on Facebook that ask you questions such as “What was your first pet’s name?” or “What city were you born in?”? These questions are common security questions used by banks and other businesses to provide an additional level of security for your online account. By answering these questions on Social Media, you are handing over that information to hackers that are creating a profile of you for future hacking endeavors.
Similar to Phishing is Social Engineering. Imagine you receive an email that appears to be from your boss asking you to provide your password for your email, or transfer funds to a new vendor. The hacker may have setup a “spoofed” email account similar to your boss. Chances are, you are not paying close enough attention to the slightly misspelled name in the email, or the fact that it may be coming from a Google or Hotmail address which you may assume is your boss’ personal email. In Social Engineering the fraudster will spend considerable time investigating their target. They will know which employee is responsible for financial transactions and will direct their attack specifically to that person. How do they know this? Social media provides this information on outlets such as LinkedIn.
There are many other scheme’s out there. But here are a few tips to protect yourself and your computer systems from the Cybersecurity Risk that is attempting to infiltrate your network.
Businesses should only allow access to those that need it. A receptionist should not have access to bank account information unless for some reason that is part of their job. We also recommend hiring or outsourcing to an Information Technology professional that can monitor, maintain and periodically test the network for breaches and malicious software. At the minimum the network should have a firewall in place. A firewall can block certain types of attacks through packet filtering. However, hackers can get around your firewall through Phishing and Social Engineering. Employees need to be trained what to look for as well. 90% of breaches involve human error. If an email looks suspicious, employees need to notify management and most definitely, do not open the email or click on any links or attachments in the email.
Businesses need to be diligent in their prevention to Cyber related attacks. The business needs to have a Cybersecurity Contingency Plan in place should they fall victim to an attack. If Ransomware is involved, businesses should not pay it. Data needs to be backed up externally so that it can be restored in the event of a cyber-attack. The business should also consider a cybersecurity insurance policy that may cover it from losses related to a cyber-attack. The tone needs to be set from the top.
There are many businesses and organizations that are working to provide resources and training on the subject of Cybersecurity. The Department of Homeland Security has 33-page Strategic document available on their site that covers the topic of Cybersecurity. The National Institute of Standards and Technology also has a site dealing with the Cybersecurity topic. Even Twitter has pages dedicated to the subject. The threat is real and is expanding as fraudsters get more creative and as the general public continues to put their information on social media sites. Even Governments, Utilities and the Healthcare industry are seeing a growing risk to cyber related activities. Be safe and protect yourself and your assets. After all, you do not want to be the next victim identified in a Cybersecurity hack.