Do you need to worry about cybersecurity? After all, you’re not some corporate giant with half the country’s bank info. Hackers couldn’t possibly be bothered with small fish like you, right? Wrong. So very, very wrong.
Long story short, cyberattacks are lengthy, costly, and messy. And you are absolutely a target. Read on to understand hackers’ motives and methods so that you can better protect yourself and your business.
Data is the most valuable currency in the world. From cornering the advertising market (Google and Facebook) to basic phishing attacks looking for a lax employee, data would be worth its weight in gold if it weighed anything. While there are many policies around consumer data rights, we’re focusing on the malicious angle: unauthorized data access.
We all know the cybersecurity basics—don’t use the same password, don’t download attachments from unrecognized email addresses, require cybersecurity training at your company, etcetera, etcetera. Yet 18 percent of SMB decision-makers surveyed in 2019 listed cybersecurity as their lowest priority. A whopping 66 percent of the same group doubted their businesses would suffer a cyberattack.
That study came out in July of 2019. By the end of the year, the same report indicated that 67 percent of all small businesses had reported cyberattacks.
It makes you wonder how many more companies didn’t report attacks—or didn’t know they were hacked at all.
Now, combine the above knowledge with the fact that it took 206 days on average to identify a data breach in 2019. The full hack lifecycle—from initial breach to containment—averaged 314 days.
In calendar terms: If hackers successfully targeted you on January 1st, you wouldn’t know until the end of July, and containment would take until November. Only after all that would you begin the financial and reputation cleanup.
Most of the time, hackers are in it for the money. In 2019, 71 percent of breaches were financially motivated. But never underestimate the ego factor. Some hackers are after fame and recognition more than money. Others view hacking as a sport. Disgruntled ex-employees aren’t unknown in the cybercrime world, either. This is why best practices include changing passwords on shared office accounts!
As we said earlier, data is valuable, and businesses are a one-stop shop for large data dumps. In 2019, direct malware attacks on consumers dipped two percent while attacks on businesses climbed 13 percent. So yes, attacks on specific individuals trended down, but top brand impersonations claimed a quarter of all phishing attacks in Q1 2020, according to the SSL Store’s 2020 cybersecurity guide. How many of us have accounts with Apple, Netflix, or Yahoo? Hackers know to work smarter, not harder.
They sell it, most likely, or publish it on the deep web. Or they lock it and hold it for ransom. The type of damage hackers or their buyers inflict with stolen data depends on the type of information stolen. Eventually, it’ll end up on an underground market.
Think: Name, birthday, SSN, phone number.
If it can identify, locate, or contact you, it’s PII. Odds are, this is what hackers are looking for. As stolen information goes, PII is fairly malleable to a cybercriminal’s whims. They could apply for loans or credit cards and file fake tax returns in your name. Or they could subject you to a lifetime of spam. That’s a wide spectrum but one that’s aggravating across the board.
Think: Bank and insurance information, billing accounts.
Used to pay bills or transfer funds. Would you notice an extra couple of bill payments each month or if someone were skimming your bank account? The savvier cybercriminals could even make themselves credit cards in your name. Most of the fraudulent activities mentioned with PII apply here as well.
Think: Your credit and debit card numbers.
While part of financial information, specific card details can result in immediate transfers or online purchases. It doesn’t take much time to rack up a hefty credit card bill on someone else’s dime.
Think: Transcripts and school records.
True, this type of information is not as instantly lucrative as the others. Instead, it’s often used for blackmail and extortion. Fear works in the hacker’s favor here. Alternatively, they’ll pose as part of the school to phish you.
Think: Insurance and hospital records.
How much of your PII is listed in hospital records? With insurance information, cybercriminals can mess with your insurance by filing false claims and buying prescription meds in your name.
Think: Usernames and passwords.
If you regularly sign in with OAuth, imagine how many accounts you’re jeopardizing with one weak password. Consider your primary email login the Pandora’s Box of cybercrime. Some hacker rolls in and sets your inbox to auto-forward to her account. From there, she hits every “I forgot my password” button she finds. If your work email is compromised, she might spy on your company or attempt intellectual property theft. Think of all the PII stored in the average adult’s primary email—bank statements, rental applications, legal correspondence, and let’s not forget the contact list that’s grown unchecked since before Facebook had a timeline.
With such a data treasure trove in your inbox, it’s no surprise that phishing is the most recurrent attack vector. One of the most infamous cyberattacks in recent history, the 2016 DNC hack, used multiple attack vectors. None would have been as effective without stealing user credentials along the way. Read on for a rundown of the most common cyberattacks and how the Russian GRU hackers used many of them to exploit the DNC’s weak security.
Taking advantage of software vulnerabilities before they’re patched. Zero-day vulnerability is the actual hole in the software. The creators don’t know about it, and antivirus software doesn’t know to look for it. Zero-day exploit is the code attackers use to get in through the security hole. Famous Zero-day attacks: Stuxnet, the 2014 Sony fiasco, Adobe Flash for its entire existence, and of course, the DNC.
Zero-Day and the DNC Hack:
The DNC servers didn’t just have one Zero-Day vulnerability. They had six. To exploit them, the Russian hackers started a spearphishing campaign.
So popular that 80 percent of 2019’s reported attacks were phishing attacks. Hackers send emails posing as reputable contacts—someone in your organization or a known brand—hoping to trick you into sharing information or downloading malware. Spearphishing is a targeted attack by the same methods, where hackers go after individuals with higher access or privileges. Vishing is phishing over the phone. Your voice confirms your PII, credentials, financial information, and more to the very reputable lady who was definitely calling from the bank. Smishing is similar but uses SMS instead of voice.
Phishing and the DNC Hack:
The GRU sent dozens of spearphishing emails to Clinton campaign employees and volunteers over five days—targeting both work and personal accounts. They succeeded with the campaign chairman. Within days, their list of stolen user credentials included a sysadmin with unrestricted network access. Within weeks, they’d accessed more than 30 DNC computers.
A simple way to spread malware. Hackers drop malicious scripts into insecure websites. Any site visitors with vulnerable machines are automatically infected. Most likely to happen to those who always hit “Remind me tomorrow” on system update reminders.
Malware disguised as helpful software. Trojans might get to work at once or they could bide their time, which makes them particularly dangerous. How to handle Trojans: Don’t download or install anything questionable, from seemingly routine apps to your torrenting habit.
Hackers use malware to hold your files ransom. Businesses in particular tend to pay up because the cost of losing their files or having them published causes more than just financial damage. The catch: You have no idea if you’ll actually get your files back, if they’ll remain unpublished, or that the hacker hasn’t already deleted them.
Malware and the DNC Hack:
Russian hackers used three types of malware once inside the DNC network. One collected credentials. The second took screenshots and logged keystrokes. The third mass exfiltrated data to GRU-controlled servers. Those servers were based in Arizona to confuse the trail.
A Denial of Service (DoS) attack that uses multiple devices to launch. Hackers flood you with traffic to eat up bandwidth and resources. You have to scramble to fix it and go offline if you haven’t crashed already. Why hackers bother: It’s a favored revenge move and a useful diversion for hackers trying to break into your otherwise monitored system.
Hackers sneak malicious code in an SQL database or website. It tricks the backend into releasing information that otherwise wouldn’t be public—like a list of payment info stored on a retail site. How easy is it: So easy that automated programs exist. A hacker could destroy your business just by inputting your URL.
This is what happens when you use free WiFi or are infected with malware. Hackers sit pretty in the middle of your connection, seeing all data sent and received. This sounds familiar: Been on many virtual happy hours this year?
With so many types and methods of cyberattacks, maintaining your security can feel daunting on a good day. Fortunately, the key steps to personal and professional data security are simple.
The top attacks expected in the near future have the same top players as 2019: phishing, ransomware, DDoS, and password-based attack vectors. Joining the top tier are compromised business emails and IoT- and AI-based attacks. We already knew that attacks on businesses are trending up compared to those on individual consumers, so the first additions shouldn’t surprise anyone. As for the latter two, both areas continue to rapidly grow with 5G expansion. As the IoT grows and AI development expands, so too do correlated cyber threats. Escalation is a constant in cybersecurity, and you should approach it accordingly. Here are some top ways to maintain and improve cybersecurity in your life:
Hopefully, you already use two-factor authentication for most secure logins. It takes a few seconds of your day and packs a heavy security punch. You’re already used to it! For those with access to sensitive business and client information, multifactor authentication is a simple way to add extra protection.
You can’t protect your data or devices if you don’t understand the threats. It only takes one weak password to break a company. With business email compromise expected to rise, can you confidently say that every person in your organization follows the bare minimum in security practices? What about three months from now? Require cybersecurity training, and not just during new employee onboarding. Make it regular, make it thorough, and make sure your team actually pays attention.
In the SSL Store’s exhaustive 2020 cybersecurity guide, they highlight a particularly alarming habit. The current norm in the cybersecurity industry is containment. When prevention efforts can save more than a million dollars per attack, why on earth would three-quarters of cybersecurity professionals focus on containment instead? Because it’s more accountable. Prevention is too hard and not so neat with exact numbers to drop on a report to the board.
We think that’s one of the most ridiculous things we’ve heard this year, which is saying something for 2020. Instead, be proactive.
Audit your network and website for weak spots so that you have a regular idea of your attack surface. Make patch management a priority. Put resources into a cybersecurity team that can supervise and enforce employee security protocols. Prevention efforts can save a business over a million dollars per attack. Don’t forget how common attacks are: 2019 averaged 2,244 attacks each day.
Covid-19 created a hacker’s paradise. Cyber fraud jumped 20 percent just in Q1 2020. Then Coronavirus email scams said, “Hold my facemask.” From March 1st through the 23rd, spearphishing attacks skyrocketed 667 percent.
Containment doesn’t help when the damage is done. Focus on prevention.
If it connects to the Internet, it’s hackable. If we haven’t scared you enough, Google “baby monitor hacked.” On how many of your smart devices have you actively checked and updated the security settings? Factory default settings are rarely strong. To help get you started, we have a guide to securing all aspects of your VoIP phone system.
We’ve said it before, and we’ll say it again. Use a password manager to generate strong passwords and organize them. All you need to do is remember one extremely strong password and you can access your vault.
You should take some general precautions when surfing the Web, including the following:
To close out, let's look again at the DNC hack.
A Brief Timeline of the DNC Hack:
September 2015: The FBI tells the DNC IT department that Russian hackers have compromised at least one machine. A system scan shows nothing.
November 2015: The FBI again warns the DNC that a computer is sending information to Russia. The DNC says the IT department didn’t share the breach information.
March 2016: Clinton campaign chairman asks IT about a suspicious email. The response has a typo, saying “legitimate” instead of “illegitimate,” and the Chairman clicks the phishing link.
April–June 2016: Hackers steal data and thousands of emails, then hide their tracks.
July 2016: Wikileaks publishes the first batch of emails.
We all know the rest of the story. Once the stolen files were shared and published online, containment was out the window in terms of saving face. How many of the basic cybersecurity protection practices outlined above could have mitigated the hack's effect? The abundant lack of communication, patch management, and basic cyber threat awareness left the DNC system incredibly vulnerable.
Adding basic cybersecurity tactics into your routine is easy. Coming back from an international incident of cybercrime isn't. Your data might not be as blockbuster as a Presidential candidate's in an election year, but it's still valuable to hackers. Work hard to protect it.