I have found there is a general perception among people that they won’t be hit by a cyber attack of some form and that cyber security is not something they need to worry about too much, after all you have installed an Internet Security product on your PC and you download apps from the official source to your phone. What could go wrong?
In this post I want to explain why it is everyone job to make sure they are aware of the threats and what they can do about them.
I have come across a number of variants of the following statement. There are two types of person/company in the world:
- Those that know they have been hacked
- Those that don’t know they have been hacked – yet.
That was a very negative statement, but by and large it is true. Do you know whether or not an email address you provided to some obscure site a year ago, and have probably forgotten about, has been subject to a data breach and now your email address and password are being sold on the dark web? Does this company even know they have been breached?
Take a look at this blog posting I found online – List of data breaches and cyber attacks in September 2019 – 531 million records leaked.
Myths of Cyber Security
There are a number of misconceptions that people have about hackers and cyber security:
- I’m not important and no-one is interested in me
- I don’t have anything that a hacker would want
- I can’t stop them even if I wanted to.
Lets look at these in a little more depth.
Myth #1 – I’m not important and no-one is interested in me
Well, if you believe this, then you are precisely who cyber criminals are looking for because you are not defending yourself from their advances. Here are some metrics:
- Approximately 48% of us work for small/medium size businesses
- 49% of small business have been hacked
- 70% of cyber crime is focused on small businesses
- 75% of employees have risky cyber behaviour
- Of companies that have experienced a critical hack, 60% of them go out of business within 6 months.
In the past, and we are talking about the 1980’s here, hackers were bright people who were interested pushing buttons, and seeing if things could be done with the technology. Does anyone remember the scare around macro viruses in Microsoft office applications? A Microsoft employee investigated whether or not he could create a self replicating macro that could infect other office documents. He succeeded and unfortunately that got released to the world, probably because he posted it on some forum. This became a serious problem for Microsoft and has to this day not been totally eradicated. A lot of cyber attacks come from an infected macro enabled document.
Today Cyber Criminals have more in common with the Mafia and organized crime. Using technology they can cast their net wide and affect millions of people at once. Bot Nets automate Phishing attacks, and put simply we scale up from a lone person fishing for a single fish, to a fishing trawler that gathers up whole shoals of fish in one big scoop of their nets. This is the scale of cyber crime today and it will only get worse.
There are basically three types of cyber criminal:
- The lone actor/script kiddy, often called an ankle biter, who are acting alone and have limited impact (think of this as the lone burglar)
- Cyber Criminal gangs, who act as organized crime units and are in it for profit
- Nation State actors that are interested in cyber terrorism, warfare and extracting intellectual property (the WannaCry attack a few years ago was attributed to North Korea).
So, even if you are not a significant player, cyber criminals are looking for you.
Myth #2 – I don’t have anything that a hacker would want
What do you have that hackers want? Here are a few things:
- Your login information
- Reputation and Market Share.
Hackers want to gain access to systems so that they can execute cyber attacks, data breaches and just outright fraud.
Some years ago before I became much more aware of cyber crime, I was hacked! Yep, even me. I have an eBay account and I received an email from the site saying that I had been caught selling fake goods. I knew I hadn’t, so I went to my eBay account and logged in. Yes, I had been selling knock-off T-Shirts, but it wasn’t me. I remembered that I had received an email from eBay a while back asking me to login to the website for some reason. Which in by naivety I did, which promptly failed. I then logged in normally and I was in. This is what we now call a Phishing attack. I managed to recover my account and credibility with eBay, but this is not the point. I was hacked, and I didn’t even now about it until eBay told me I had broken the rules. I was lucky that they hadn’t changed important details of my account.
So, if you are subjected to a Phishing attack, you can inadvertently disclose vital information to a hacker. In my case the hacker managed to sell goods in my name on eBay and gained money as a result of it. This can be a lot more serious. What if you are a system administrator and your login information is disclosed? Once a hacker has access they can cause havoc in your systems, steal trade secrets, steal confidential information about your clients, perform monitoring of your systems, the list is endless. What if a hacker gets access to your online banking account? What if they gain access to a business email account that receives payment instructions from clients.
Hackers also want your money. This is often done through some scam, but more so these days via some form of Ransomware attack. If your computer/network gets infected by Ransomware, all your files are encrypted and are useless to you. The hacker will demand payment in bitcoin to release the information. This is becoming more of a problem and is big business. We are seeing small/medium size business being hit by ransomware as well as large companies and government organisations (schools, healthcare, local authorities). The hacker doesn’t care if you are an individual, business or a large company. They just want you to pay up. If you are a large company, the loss in reputation can be devastating. If you are a small company it can take you out of business. I read an article recently in which they conducted a study about the outcome of a data breach. They found that 81% of people would stop doing business with a company if they were subject to a data breach. This could be devastating to your business.
We are also seeing a lot of online extortion scams, especially where they say they have some compromising information about you and will disclose this to all your contacts (sextortion attacks are among the worst of these).
What about information? As a business you will hold a lot of transaction information – you have to by law. You may also have inquiries, quotes for work, etc. You may also have trade secrets and a lot of confidential information about your clients – especially if you are in financial services. Hackers want this information so that they can:
- Impersonate someone so that they can gain access to your internal systems
- Commit a fraud by sending you alternate payment instructions (see BEC)
- Gain market intelligence
- Steal intellectual property.
So, the idea that you have nothing that a hacker would want is completely wrong. Even if you are an individual with barely no wealth, you do have something hackers want from you.
If you fall into this category of person then this is exactly the type of person a hacker is looking for because you don’t think you are vulnerable.
Myth #3 – I can’t stop them even if I wanted to
If you have read the above paragraphs, you might think this is true. But it isn’t! There are a lot of things you can do to protect yourself. This is what this website is mostly about.
You can employ technology to put up your defenses, and I would recommend installing appropriate Internet Security products on all your devices. If you are a business, there are services out there that will help you to secure your infrastructure and deflect DDoS attacks. There are also monitoring services that are looking for suspicious emails and block them from being delivered. Installing firewalls to protect your internal network is always a good thing as is perimeter monitoring. This is all very good, and I would recommend installing these services.
You also need to install patches to all your devices and infrastructure (including servers, routers, network switches as well as all client devices) as and when they are released, and make sure your devices are covered by regular updates.
However, this is not the full story.
A large percentage of data breaches start with a single message (email, IM, and even phone calls) that contains a malicious link that someone clicks. You as a person with access to the internet need to be super aware of the threat and act accordingly.
I regularly receive phone calls these days claiming to be OfCom, or my ISP, saying my internet connection will be terminated in 24 hours due to hacking on my connection. If I want to hear more I need to press # and I will be connected to a representative. At this point I would be connected to a premium line and possibly someone who will try to extract my login information to to my ISP. Don’t press #!
If you are a business and receive payment instructions via email/fax/telephone, please have a procedure in place to authenticate that payment instruction and determine if it is genuine.
If you receive an email from your credit card company asking you to pay to a different account, check that it is genuine before you make that payment. Missing payments on your credit card can adversely affect your credit score and open you up to potential legal proceedings. Check the payment instructions on your credit card statement and/or online account before you process that payment. You can also call your credit card company to check the valid account details. Same applies to any form of payment that you make regularly.
Awareness will give you the required knowledge to combat the human component to cyber attacks.
Just because you are not paranoid, doesn’t mean Cyber Criminals are not out to get you!
You are super important to them if your defences are not engaged. You have things they want, and even if you don’t have highly valuable information, you have money which is something they want.
You can defend yourself, and this website is dedicated to raising awareness so that you are more capable of detecting and defending against a cyber attack. The best place to start are our guidance pages and the blogs posted on this site. The mission of this site it to raise awareness and make people aware of not just the threat but things they can do to mitigate these attacks.
Cyber Criminals are not going away, and the situation can only get worse as we venture into the Internet of Things where the technology is obscured by familiarity.
The best form of technology is that which is unnoticed and drifts into the background. Motor transportation the beginning of the 1900’s was an innovation and highly noticeable. Wind forward to 2019 and everyone has a car. The same is true of smart phones, smart TV’s, smart light bulbs, voice activated assistants, etc. As we progressively automate and digitally connect ourselves, the cyber threat increases and you have to be aware of this.
I hope this blog post has been a wake up call to anyone who hasn’t considered themselves important enough to cyber criminals. To those who are aware, I hope this has re-enforced this belief and that you will double down on playing safely online.