The Biggest Cyber Security Threats of 2019

As technology becomes an even bigger part of our lives, influencing both the personal and the professional, being aware of the dangers cyberattacks pose is essential.

The reality is, they both affect the other; running parallel in their behaviours. Meaning, every time tech and cyber security evolves; cybercriminals methods for accessing your personal data evolve with them.

It is a pattern that you simply cannot ignore.

FACT: According to Cisco, 31% of organisations have at some point witnessed cyberattacks to their operations technology.

So what can you do? How can you minimise the risk of data breaches?

The first step is to familiarise yourself with the biggest cyber security threats around, so you know EXACTLY what to watch out for.

One: Internet of Things

If you’ve not heard of this term before, then the Internet of Things essentially refers to all devices in existence which connect to the internet and link our digital selves across devices and services (making our lives easier).

They are a combination of sensors, software, devices and networks, which aim to make your home and office environments more intelligent, comfortable and efficient. Take the following examples: computers, laptops, routers, webcams, video conferencing technology, warehouse stock monitors, household appliances (Alexa and smart thermostats), smart watches, medical devices, manufacturing equipment, cars/vehicles and household security systems – they ALL connect to the internet.

Now, the problem with these is that what makes them so convenient is also what makes them vulnerable, as they create ‘weak points’ that cyber attackers then can take advantage of:

  1. The devices themselves – studies have shown that IoT contains many architectural flaws, including inadequate security measures (that often arise from these weak points).From the simple action of forgetting to update regularly; you can give cybercriminals an easy in into your system, opening your business to attack. To put it simply, devices cannot always offer you the protection your business needs. Smart devices are particularly susceptible and are regularly left unprotected.
  2. Multiple devices – the more you have connected to the internet, the more entry points cybercriminals can take advantage of; increasing your odds of being attacked. This is a big concern for businesses, who naturally rely on connected devices to save money by gathering insightful data and improving their businesses processes.Yet, when you’ve got numerous individual members who each use multiple devices that are connected to the internet i.e. phones, laptops and PCs; this can then create problems.

Then there are the more obvious weaknesses that you need to be mindful of:

  1. Weak/guessable passwords – in a bid to make your passwords easier for staff to remember, you run the risk of professional hackers guessing and entering your system.
  2. Insecure services and ecosystem interfaces.
  3. Ineffectual secure update mechanisms – and as we’ve already mentioned, failure to regularly update your devices can put your business at risk.
  4. Insufficient privacy protection.
  5. Insecure data transfer and storage.
  6. Ineffectual device management.

The only way to handle these is to ensure that you deploy top quality security systems and increase awareness across your team. This will help to keep the threat under control.

Tip One: Hacking usually occurs when individuals share credentials and access to passwords. You can stop this by consciously remembering to NEVER share your credentials – even with someone internal.

Tip Two: Restrict access for sharing (which is easy to implement if you’re the service provider).

Tip Three: Use tracking methods to monitor the activities of employees and ensure that no unauthorised access takes place.

Tip Four: Include all devices in your security protocol, even smart devices – there have been cases of businesses being hacked through smart thermostats and CCTV cameras (due to Botnets entering the networks of these IoT devices, resulting in DDoS attacks).

Tip Five: Protect more than your devices – you also need to protect your privacy e.g. look at everything from the application and network to the IoT ecosystem as a whole in order to identify any weaknesses, vulnerabilities and liabilities.

Contact Economit to find out how.

Two: Social Engineering

Considering that more and more services are utilising the internet and digital processes; cybercriminals are now resorting to social engineering (hacking without code) to gather personal data and use it to either exploit your business directly or boost their long term gains (i.e. financially or to further their crimes by getting you to engage with malicious content).

Phishing scams are a prime example of their misuse of your information. From sending you emails to calling you up; they utilise domain phishing and phone number spoofing to make them look legit and trick you into clicking through and parting with personal details (through manipulative, deceptive and persuasive means).

In fact, according to RiskIQ, over $17,000 is lost every minute due to phishing attacks. So whilst they look inconsequential, they can do a lot of damage.

Now, most people are fully aware of phishing scams and know what they can and cannot click. Yet, this has not deterred or stopped hackers from continuing. If anything this has prompted cybercriminals to evolve and get more inventive with their disguises in their bid to trick you into clicking links or opening files. Do that and it will give them the ‘in’ they need to steal data, user logins and credit card details or install malware into your system.

In fact, there are reports of hackers using machine learning to help them create and distribute more convincing fake messages.

Most common forms of social engineering including phishing, catfishing, spear phishing, CEO fraud, smishing, vishing, clone phishing, domain spoofing, URL phishing and email scams.

So what can you do to stop them?

Tip One: Introduce protocols – these can range from limiting personal correspondence to monitoring message traffic (what goes in and out of your system). This can help prevent social engineering attacks.

Tip Two: Implement cyber security awareness staff training – this should cover common social engineering techniques and how they should respond to them. It is essential that you should enlighten your entire team to cyber security issues so they don’t fall for phishing scams. Likewise, this training should be mandatory for everyone – no matter their position in the business. NOTE: this training should be available all year round and shouldn’t occur once a year, but be done regularly.

You can also:

  • Encourage employees to report phishing – this will make the whole team aware of suspected phishing emails that are targeting your business. By reporting their presence, you can then fine tune your email/spam filters to protect your employees from these campaigns.
  • Run phishing simulations – this will enable you to gauge how well your training sessions are going and what needs improving/expanding upon. Again, these should be done regularly.
  • Use HTTPS on your website to help create secure, encrypted connections – to do this you will need to install SSL/TLS certificates.
  • Use reliable email and spam filters.
  • Implement two-factor authentication – even if an employee account becomes compromised; this two stage authentication will protect your system.
  • Use email encryption and email signing certificates.
  • Set up proper access management – this is essential as it ensures that no one has got access to data/systems that aren’t required for their job. NOTE: this will need to be kept up-to-date.
  • Policies and procedures – these are important for when employees leave or are fired. You will need to make sure that their access is terminated immediately.

Three: People

As social engineering proves, it is possible to trick innocent employees into parting with valuable information. Yet, on the other end of the scale you may encounter intentional threats to your cyber security when employees (or former employees) deliberately perform malicious actions.

From trying to turn a profit from your data (by selling or using the data they steal), to wanting to get revenge on a former/existing employer; it is entirely possible for employees to deliberately install malware, download data or create other data leaks.

To prevent this, you should:

Tip One: Alongside maintaining strong firewalls and antivirus solutions, you should also harness the services of an in-house or third-party cyber security operations centre (CSOC). Their job is to 24/7/365 monitor and analyse logs for your website, applications, and systems as well as intervene at any hint of a threat.

Tip Two: Limit employee access to sensitive systems by producing access management policies and procedures – from here you should keep a list of who needs access to your data and other systems.

Tip Three: Improve employee education on the realities of cybercrime and the dangers that can arise from crucial errors when trying to get things done quickly. The reality is, the biggest threat to cybersecurity is the people actually using the systems. This is partially down to having a limited education. You must improve this for them with regular training.

Tip Four: Utilise two-factor authorisation – this eliminates the risk that single factor, easy to guess passwords possess. Instead, it ensures that your accounts remain secure.

Tip Five: Strengthen security for data storage, downloads and transfers – by improving your platform and connection security, this will prevent malware installations and data leaks/loss from unsecure cloud storage (including unauthorised deletions or alterations). More importantly, it will prevent the penetration of advanced phishing.

For assistance with protecting your cloud storage, contact our team at Economit.

Four: Data access management

We’ve lightly touched on this subject before, but to give you a better picture – poor data access management could result in ex or current employees maliciously sharing data for personal gain.

Likewise, if your clients and vendors have access to any of your data; you are at risk of their malicious intent or their poor security systems.

So what can you do? The first step is to broaden you knowledge.

You see, whilst we are getting better at spotting and stopping malware, this has prompted cybercriminals to look for other ways to disguise their software. In other words, they are getting even more creative with their tactics.

Take the following:

  • Powershell attacks are a popular tactic hackers use to hide malicious software in legitimate Microsoft processes. They incorporate a “Living Off The Land” technique, by hiding themselves amongst Microsoft’s growing applications. Typically, they hide in regular processes and are very difficult to detect – even by trained cybersecurity professionals.
  • Legitimate software updates – again, cybercriminals exploit the weaknesses in these updates and use them to hide their malware.
  • Malware and fake public Wi-Fi points are also being harnessed by hackers in order to spy on conversations between two legitimate contacts. Using these overheard conversations, they are able to steal personal and financial data. These are referred to as “Man In The Middle Attacks”.
  • Shadow IT systems – it is not uncommon for businesses to use IT services that aren’t a part of their main IT infrastructure to help manage technology. Yet, this can create extra issues when protocols/ updates from both sides don’t function correctly together. They can lead to glitches and gaps in your systems that criminals can use to sneak in, exploit and deliver their malware.

You could say that Malware attacks are a big threat to cyber security in their own right, as they basically involve the integration of malicious software platforms – unknowingly – into your own system. Once in, they can remove data and media, and share sensitive files.

From adaptive malware (changes its genetic makeup/coding) and metamorphic malware (changes itself entirely with every new iteration) to generic backdoors, downloaders, Trojans, worms and macro viruses; it is important that you learn how to prevent their infiltration.

Tip One: Use strict security mechanisms and compliance – for instance, make sure that you use reputable antivirus and anti-malware solutions, email spam filters, and endpoint security measures.

Tip Two: Ensure that all of your cyber security updates and patches are up-to-date.

Five: Website security

This is another popular area for cybercriminals that is often ignored by businesses due to limited resources for website management.

As a result, each of the following areas acts as a gateway for hackers to attack your system:

  • Expired SSL certificates – these can lead to service downtime and an opportunity for cybercriminals to attack your site.
  • Poor patch & update management- like we’ve mentioned before, failure to keep your systems updated will leave holes that cybercriminals can exploit.
  • Insecure APIs (Application User Interfaces) – poor authentication and encryption can give cybercriminals a way into your website code, where they can then gather data from you about your customers.
  • Formjacking – this occurs when hackers infiltrate the code in website forms (in particular checkout forms, chats and surveys) and skim them for information (using malicious JavaScript code) in a bid to steal personal and financial data. And this can pose a big problem given that tighter regulations have resulted in forms being more readily used. To combat this, you should run vulnerability scanning and penetration testing. These will allow you to identify weaknesses in your security defences. In addition, you should:- Monitor all outbound traffic on your site – this will alert you to any traffic from your site to another location.
    – Utilise subresource integrity (SRI) tags – this will ensure any files used by web applications and documents don’t contain any hidden or manipulated content using hashing.

For more assistance with improving your cyber security and data management, reach out to Economit today.

Six: Ransomware

The surge is cryptocurrency has led to a rise in the use of ransomware because it enables hackers to get paid anonymously. This threat allows them to hold data hostage by taking advantage of physical and digital operations which control physical production and activity.

Their increased integration, has prompted hackers to use ransomware to help control and stop these operations, causing huge financial and operational issues for businesses.

In fact, this type of attack is believed to cost businesses billions every year, as hackers are able to essentially kidnap an organisations database and hold this information to ransom. Add in cryptocurrencies such as Bitcoin, and hackers are able to take these ransom payments without ever having to worry about businesses discovering who they are.

Now, whilst this is not a threat to security necessarily; the spread of misinformation by bots and automated sources can damage your reputation and cause losses in integrity (as well as trust) as clients will doubt your business.

Your next steps…

Now, while it is impossible to be 100% secure against all cybersecurity threats; you can still make a stand and adopt some of the best practices listed below to ensure that your business is as safe as it can be.

  • Ensure everyone in the organisation is properly trained on cyberattacks including: what threats are out there; what to look out for; how to do your best to avoid them and what to do in the event of an attack.
  • Implement data storage and sharing procedures – make sure these are in place for all types of data, including the management of who can access what systems.
  • Have a clear screening and authorisation process for updates – even if they seem safe at first, they should be screened to make sure they are legitimate.
  • Make website security your highest priority – even over aesthetic or content updates, your security should come first.
  • Perform a security review – they are a great way for you to identify the most urgent areas that need tackling – a task that we can perform at Economit. We can review your systems, procedures and security, and determine which areas need prioritising and which are in danger of being attacked.

Protecting your business from cyber security threats doesn’t have to be daunting. Remain vigilant, informed and prepared, and you can offer your business the protection it deserves. To arrange a security review or learn more about cyberattacks, contact us at Economit today.

Recent INSIGHTS