Why You Should Care About Cybersecurity

It’s not only the IT professionals in your office who should be concerned with cybersecurity.

In my July 2017 presentation to IAAP Summit 2017, hosted by the International Society of Administrative Professionals, we discussed how technology breaches can impact you and your colleagues – and how you have a role in risk mitigation.

 

Any device can be breached

… and so you’d do well to understand how it can be done. Here are just some of the approaches.

Adware – a form of malware; this is software that contains and displays typically unwanted advertising material when you’re browsing the internet; it’s a revenue source for sites that do not charge user fees

Data leakage – unauthorized data transfer; can be done via technology, or can be as simple as someone watching you enter a password/other data on your computer/other hardware, and retaining information

Email, social media – messages may contain links or attachments that you don’t want to touch

Fraudulent/faux notifications – intended to result in you giving away money and/or information

Hardware theft – smartphones, iPads, laptops, netbooks, tablets, etc.

Laptops and other hardware – internal cameras or webcams

Malvertising – malicious online advertising; can appear in ads that display as pop-ups or banners

Personal devices – data leakage (see above) from your smartphone and other hardware

Social engineering attacks – done through exploitation and through pretext

 

Employees tend to be the weakest link in an organisation 

… and so you need to understand social engineering attacks. Fraud is nothing new. What is relatively recent is criminals’ expansion of their scope of operations from in-person and phone fraud (vishing) to also using email (phishing) and text messages (smishing) to conduct their activities. Social engineering attacks may be exploitative and/or rely on pretext.

Exploitative – of people or emergency situations; the criminal creates a sense of urgency/threat to solicit info/ money. A sampling: fraudulent parking violation/unpaid tax notices … account expiries/updates … solicitation of donations for people/communities experiencing flood, fire, earthquake or other emergency/health crises

Pretext – relying on bits of readily available information to establish a pretext that lulls a person into a false sense of security or readiness to give out personal information. Think of someone phoning you and identifying her/himself as the company’s internal auditor, or as someone from a government body or recruiting firm.

 

Cyber threats have evolved

… from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.

Here are some of the facts, and recent projections:

The US government has declared cybercrime a national emergency.

Criminals’ tactics are constantly evolving.

The average attacker is in a network for about six months before a company realises it.

It’s projected that four billion people will be online by 2020. As a result, it’s projected that 50 billion devices will be connected to the internet by 2020, generating data volumes 50 times higher than those of 2016. Ransomware damages alone were estimated at $325M in 2015. The global cost for 2016 was estimated at $1B, and the projected global cost for 2017 is $5B.

Global cybercrime damages overall were estimated at $400B in early 2015, and they’re projected to reach $6T (yes; trillion) annually by 2021.

 

Some habits you’d do well to avoid

Think about a typical week, and how frequently you access emails or browse the web.

Consider whether you’re exposing yourself or your company to risk, through any of the following.

Clicking on unknown links or opening attachments not from a trusted source

Banking on public Wi Fi networks

Leaving portable hardware in the open when you’re not at your desk

Leaving your screeen exposed

Sharing your business laptop

Sharing your passwords

Shopping on public Wi Fi networks

Using the same password on multiple sites or accounts

Using personal information – your name, special dates, or family members’ names or birth info – in passwords

Inserting or updating a numerical extension to your existing password when you’re prompted to create a new one

How you can be proactive

You don’t need to panic; you simply need to be aware, and mindful.

There are a number of steps you can take to reduce risks; here are just a few.

Androids, smartphones, iPads: routinely check notifications and update your IOS/OS/MOS (operating system)

Enquiries: verify identification and legitimacy of parties seeking information/money from you

Mindfulness: Be aware of people entering office space alongside or behind you; are you unintentionally helping someone gain inappropriate access?

Office hardware: lock away in a secure place when not in use/you’re away from your desk

Personal hardware: install browser, security updates as they become available

Web cams, laptop cameras: cover them when not in use

Switch from passwords to passphrases where possible: Think of a phrase, and feel free to include spaces between words. Aim for 15+ characters, including a mix of symbols, punctuation and upper/lower case.

Test the security of your password/passphrase: There are sites that do just this, providing estimates of how quickly a computer could “crack” your passphrase. Dashlane’s https://howsecureismypassword.net/ is one such site. Before you try this: Ask your IT team for its recommendations on such sites.

Securely store password/passphrase info: Research and use an app or other secure resource to safely store your passwords/passphrases

Safe browsing: use secured Wi Fi networks for your browsing and shopping

Use separate passphrases for each account: at a minimum, have distinct ones for work and personal use

Discuss cybersecurity education with your executive/manager/colleagues, and your IAAP Branch and LAN

Practices in place at proactive companies, organisations

Communications – between the C-Suite and IT/employees/ Board of Directors; strategic CIO at “head table”

Controls – in place, and regularly tested

Cybersecurity incident principles in place – with pre-established protocols that people understand (what steps are to be taken, and by whom)

Employee education – with people trained to recognize phishing and other social engineering scams

Incident response tabletop exercises – emergency simulations

Informed boards – with “nose in; fingers out” of technology systems, protocols and security

Policies – including BYOD (Bring Your Own Device) and communication of risks

Regular data backups, updates and patches

Restrictions – application of “Least Privilege” principle when it comes to software downloads

Risk Registers / Enterprise Risk Management (ERM) – prioritisation of technology security

 

Grow your cybersecurity vocabulary

Adware: a form of malware (see below) that displays advertising material when you’re browsing the internet

Bitcoin: an anonymized, digital currency that is encrypted with a registration number. Bitcoins are not exchanged at banks; payment is made by online transfer of the registration number(s). As of early July 2017, one bitcoin is the equivalent of approximately $2,500 US / $3,200 CAD.

Browser hijacking/hijackware: malicious code that modifies the settings on your browser, without your consent; it may redirect you to a new home page and/or advertising, or install other software

 Cybersecurity: Measures (technology, practices and processes) taken to protect data, networks, programs and hardware from unauthorized access or attack – includes application, information, disaster and network security

Cryptocurrency: a digital currency that is reliant on encryption/cryptography for its security; not issued by a bank or central authority, the encryption is verified in order to transfer funds. The bitcoin is one example.

Decryption key: digital information; in this context, a password used to restore access to one’s computer/network after payment of ransom (often by bitcoin)

Hacker: someone who uses technology to gain unauthorized access to data

Keyboard/Keylogger/Keystroke Logging: the use of malicious software to record a person’s keystrokes on their keyboard, enabling the criminal to access a person’s log-in details, codes and other data. May be introduced, for example, on a USB stick installed in someone’s hardware.

Malvertising: malicious online advertising; can appear in ads that display as pop-ups or banners

Malware: software/code that is designed with malicious intent; it creates data breaches and uses encryption to make your network/systems unavailable. Samples: adware, bots, bugs, rootlets, spyware, ransomware, Trojan horses, worms. It can impact a single computer, or multiple computers and an organization’s network.

Ransomware: malicious software (malware) used to infect computers; it restricts access to files and sometimes threatens permanent destruction of data. If infected, you’ll find your network/systems inaccessible; your technology is held ransom. Payment is typically by bitcoin (see above).

Shadow Brokers: a group of hackers that has attempted to sell what it identifies as National Security Agency (NSA) source code, and leaked data allegedly from the NSA

Social engineering attacks: attacks that rely on either exploitation or pretext to gather info/money; these may come by email (phishing), text message (smishing), phone call (vishing) or in person

Spam: unwanted, irrelevant “junk” email, typically sent to a large number of recipients and typically for the purpose of advertising, phishing or otherwise spreading malware

 Spyware: software used to gather and send personal information from a computer, without the user’s knowledge

 Tailgating: an individual following an employee into an area in which s/he does not belong; the tailgater may be dressed as a delivery person, or like many of your colleagues. S/he gains access by walking with or behind you through hallways and doorways as though they have every right to do so.

%d bloggers like this: