It’s not only the IT professionals in your office who should be concerned with cybersecurity.
In my July 2017 presentation to IAAP Summit 2017, hosted by the International Society of Administrative Professionals, we discussed how technology breaches can impact you and your colleagues – and how you have a role in risk mitigation. With that in mind, here’s an intro to cybersecurity.
Any device can be breached
… and so you’d do well to understand how it can be done. Here are just some of the approaches.
Adware – a form of malware; this is software that contains and displays typically unwanted advertising material when you’re browsing the internet; it’s a revenue source for sites that do not charge user fees
Data leakage – unauthorized data transfer; can be done via technology, or can be as simple as someone watching you enter a password/other data on your computer/other hardware, and retaining information
Email, social media – messages may contain links or attachments that you don’t want to touch
Fraudulent/faux notifications – intended to result in you giving away money and/or information
Hardware theft – smartphones, iPads, laptops, netbooks, tablets, etc.
Laptops and other hardware – internal cameras or webcams
Malvertising – malicious online advertising; can appear in ads that display as pop-ups or banners
Personal devices – data leakage (see above) from your smartphone and other hardware
Social engineering attacks – done through exploitation and through pretext
Employees can be assets – but also digital risks
… and so you need to understand social engineering attacks. Fraud is nothing new. What is relatively recent is criminals’ expansion of their scope of operations from in-person and phone fraud (vishing) to also using email (phishing) and text messages (smishing) to conduct their activities. Social engineering attacks may be exploitative and/or rely on pretext.
Exploitative – of people or emergency situations; the criminal creates a sense of urgency/threat to solicit info/ money. A sampling: fraudulent parking violation/unpaid tax notices … account expiries/updates … solicitation of donations for people/communities experiencing flood, fire, earthquake or other emergency/health crises
Pretext – relying on bits of readily available information to establish a pretext that lulls a person into a false sense of security or readiness to give out personal information. Think of someone phoning you and identifying her/himself as the company’s internal auditor, or as someone from a government body or recruiting firm.
Cyber threats have evolved
… from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.
Here are some of the facts, and recent projections:
The US government has declared cybercrime a national emergency.
Criminals’ tactics are constantly evolving.
The average attacker is in a network for about six months before a company realises it.
It’s projected that four billion people will be online by 2020. As a result, it’s projected that 50 billion devices will be connected to the internet by 2020, generating data volumes 50 times higher than those of 2016. Ransomware damages alone were estimated at $325M in 2015. The global cost for 2016 was estimated at $1B, and the projected global cost for 2017 is $5B.
Global cybercrime damages overall were estimated at $400B in early 2015, and they’re projected to reach $6T (yes; trillion) annually by 2021.
Some habits you’d do well to avoid
Think about a typical week, and how frequently you access emails or browse the web.
Consider whether you’re inadvertently exposing yourself or your organisation to risk, through any of the following.
Clicking on unknown links or opening attachments not from a trusted source
Banking on public Wi Fi networks
Leaving portable hardware in the open when you’re not at your desk
Leaving your screeen exposed
Sharing your business laptop
Sharing your passwords
Shopping on public Wi Fi networks
Using the same password on multiple sites or accounts
Using personal information – your name, special dates, or family members’ names or birth info – in passwords
Inserting or updating a numerical extension to your existing password when you’re prompted to create a new one
How you can be proactive
You don’t need to panic; you simply need to be aware, and mindful.
There are a number of steps you can take to reduce risks; here are just a few.
Androids, smartphones, iPads: routinely check notifications and update your IOS/OS/MOS (operating system)
Enquiries: verify identification and legitimacy of parties seeking information/money from you
Mindfulness: Be aware of people entering office space alongside or behind you; are you unintentionally helping someone gain inappropriate access?
Office hardware: lock away in a secure place when not in use/you’re away from your desk
Personal hardware: install browser, security updates as they become available
Web cams, laptop cameras: cover them when not in use
Switch from passwords to passphrases where possible: Think of a phrase, and feel free to include spaces between words. Aim for 15+ characters, including a mix of symbols, punctuation and upper/lower case.
Test the security of your password/passphrase: There are sites that do just this, providing estimates of how quickly a computer could “crack” your passphrase. Dashlane’s https://howsecureismypassword.net/ is one such site. Before you try this: Ask your IT team for its recommendations on such sites.
Securely store password/passphrase info: Research and use an app or other secure resource to safely store your passwords/passphrases
Safe browsing: use secured Wi Fi networks for your browsing and shopping
Use separate passphrases for each account: at a minimum, have distinct ones for work and personal use
Discuss cybersecurity education with your executive/principal
Practices in place at proactive organisations
Communications – between the C-Suite and IT/employees/ Board of Directors; strategic CIO at “head table”
Controls – in place, and regularly tested
Cybersecurity incident principles – with pre-established protocols that people understand (what steps are to be taken, and by whom)
Employee education – with people trained to recognize phishing and other social engineering scams
Incident response tabletop exercises – emergency simulations
Informed boards – with “nose in; fingers out” of technology systems, protocols and security
Network Penetration testing – and follow up
Policies – including BYOD (Bring Your Own Device) and communication of risks
Regular data backups, updates and patches
Restrictions – application of “Least Privilege” principle when it comes to software downloads
Risk Registers / Enterprise Risk Management (ERM) – prioritisation of technology security
Grow your cybersecurity vocabulary
Adware: a form of malware (see below) that displays advertising material when you’re browsing the internet
Bitcoin: an anonymized, digital currency that is encrypted with a registration number. Bitcoins are not exchanged at banks; payment is made by online transfer of the registration number(s). As of early July 2017, one bitcoin is the equivalent of approximately $2,500 US / $3,200 CAD.
Browser hijacking/hijackware: malicious code that modifies the settings on your browser, without your consent; it may redirect you to a new home page and/or advertising, or install other software
Cybersecurity: Measures (technology, practices and processes) taken to protect data, networks, programs and hardware from unauthorized access or attack – includes application, information, disaster and network security
Cryptocurrency: a digital currency that is reliant on encryption/cryptography for its security; not issued by a bank or central authority, the encryption is verified in order to transfer funds. The bitcoin is one example.
Decryption key: digital information; in this context, a password used to restore access to one’s computer/network after payment of ransom (often by bitcoin)
Hacker: someone who uses technology to gain unauthorized access to data
Keyboard/Keylogger/Keystroke Logging: the use of malicious software to record a person’s keystrokes on their keyboard, enabling the criminal to access a person’s log-in details, codes and other data. May be introduced, for example, on a USB stick installed in someone’s hardware.
Malvertising: malicious online advertising; can appear in ads that display as pop-ups or banners
Malware: software/code that is designed with malicious intent; it creates data breaches and uses encryption to make your network/systems unavailable. Samples: adware, bots, bugs, rootlets, spyware, ransomware, Trojan horses, worms. It can impact a single computer, or multiple computers and an organization’s network.
Ransomware: malicious software (malware) used to infect computers; it restricts access to files and sometimes threatens permanent destruction of data. If infected, you’ll find your network/systems inaccessible; your technology is held ransom. Payment is typically by bitcoin (see above).
Shadow Brokers: a group of hackers that has attempted to sell what it identifies as National Security Agency (NSA) source code, and leaked data allegedly from the NSA
Social engineering attacks: attacks that rely on either exploitation or pretext to gather info/money; these may come by email (phishing), text message (smishing), phone call (vishing) or in person
Spam: unwanted, irrelevant “junk” email, typically sent to a large number of recipients and typically for the purpose of advertising, phishing or otherwise spreading malware
Spyware: software used to gather and send personal information from a computer, without the user’s knowledge
Tailgating: an individual following an employee into an area in which s/he does not belong; the tailgater may be dressed as a delivery person, or like many of your colleagues. S/he gains access by walking with or behind you through hallways and doorways as though they have every right to do so.