What does it mean to be “Cyber Secure” in 2020?

by Riversafe

How the pandemic has affected cyber attacks

Covid-19 has impacted every type of business and cyber security is no exception.

The FBI has reported that there are 4000 attacks per day on average reported into their Cyber defence division – just from the US.  This represents a 400% increase compared to pre-COVID-19 statistics.

If there was ever a best time to start thinking about the cyber defence mechanisms in place for your business, it’s now. Cyber risk is on the rise for all organisations and there’s no size or industry that isn’t a potential target.

You’ve probably seen numerous headlines, articles and warnings stating that attacks are getting more vigorous and sophisticated, with more types of attacks being discovered every day. But looking at the statistics, more traditional and well-known attacks are still the most common. For example, 94% of malware in 2020 is still being delivered via email and 60% of breaches occur because the patch to an issue hasn’t been applied despite being available.

Most common cyber attacks

These cyber security attacks are reported to be the top five most common attacks in 2020:

  1. Phishing (Vishing, Smishing, Spear Phishing)
  2. Ransomware
  3. DDoS attacks
  4. Computer viruses
  5. Attack Vectors (Man in the middle, zero day, SQL injection & drive-by)

So what do you need to know about these attacks and how can you recognise them?

Phishing

Phishing is the type of social engineering attack where the attacker is trying to trick the victim to click or download an infected item or link. These attacks account for over 80% of reported security incidents.

There are many variations of phishing attacks. Most of the phishing attacks are done via emails, where the attacker can simulate different scenarios pretending to be a colleague, relative or someone the victim knows. And with everyone working from home now – there are more people online to target. In particular, attackers are getting more creative when targeting vulnerable people affected by COVID-19.

Vishing: Another phishing type is voice phishing or vishing. This involves sending a voice email or a call with different requests to provide sensitive information such as credit card details, PINs or passwords.

Smishing: Smishing uses the same technique as vishing, but via SMS messages. Due to our increasing reliance on smart phones this attack is on the rise.

Spear phishing: Spear phishing involves a specific targe, where the attack is personalised to get specific information from individuals. In most cases the attackers are seeking financial gain.

Ransomware

Ransomware is a malicious software that prevents the user from accessing data or files until the ransom is paid. Often there are still no guarantees that the files or data will be restored or won’t be deleted. As one of the most popular forms of attack, it’s predicted that by 2021 a ransomware attack will occur every 11 seconds according to Official Annual CyberCrime report of 2019.

Ransomware attacks became widespread in 2005, but the first ever ransom was demanded in 1989 on an attack against the healthcare system. In fact, the healthcare system is to date one of the most vulnerable industries in regard to ransomware attacks.

Distributed Denial of Service (DDoS)

DDoS or Distributed Denial of Service attacks are attacks that take the site offline and disrupt the web traffic by overwhelming the system with more requests than it can handle. In most of the cases DDoS attacks are performed in order to distract the victim – making them focus on getting the site back up while the criminals hack into the organisation’s network.

Computer virus: We need to be as aware of computer viruses now as we were 20 years ago. While it seems like an out-dated concept, they are still extremely prevalent today. A virus is a snippet of malicious code that replicates without the user’s knowledge. The victim can “catch the virus” by visiting infected website, downloading or opening infected email attachments or files, plugging in infected storage devices, such as USBs, or connecting to an infected network.

Attack Vectors

Attack vectors are used to gain access to a computer or an entire network in order to infect it or gather data.

Man in the middle: Man in the middle attacks are where an attacker gets in the middle of two users, impersonating the victims in order to get access to the system.

Zero day: When software is not updated to the latest version it can have vulnerabilities that can bring the whole system down. A zero-day attack is when a vulnerability has been made public but a patch hasn’t been released yet.

SQL Injection: This is where the criminal inserts malicious code into a server that uses SQL. Successful application of this attack grants access to the criminal to the desired data.

Drive by attack: Drive by attacks happen when the user visits a malicious website. This can be either non-legitimate sites, or legitimate sites that have been compromised by hackers, meaning the site will redirect to a malicious one or be infected itself.

The impacts of cyber attacks

The potential impacts of any of these attacks are no minor thing – they should be taken seriously. Here are some key statistics from IBM:

  • The average cost of a data breach in 2020 is $4million
  • It takes 280 days on average to identify and contain a breach
  • Every minute $17,700 is lost because of cyber-attacks

When faced with these numbers, most companies tend to retort that “it’s not going to happen to me”. But every company is a likely target. What people should realise is that “forewarned is forearmed”, and with awareness of these attacks you can take the correct steps to stop them.

How to prevent cyber attacks

Now you know the most common types of attacks that happen to users, let’s see what businesses can do in order to attempt to prevent them. We’ll take you through some of the most common misconceptions and mistakes people make about cyber security, then show you how to avoid them in order to mitigate against cyber threats.

“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.”

Bill Gates, Founder of Microsoft.

Most common cyber security mistakes made by companies:

  1. Underestimating threats
  2. Underinvesting (underestimating ROI)
  3. Not training people and forgetting the basics
  4. Not mapping data flow
  5. Not disclosing the breach

1. Underestimating threats

A lot of companies, especially SMEs (small and medium enterprises), ignore the need for cybersecurity assuming “it’s not going to happen to me”. But as practice keeps showing from year to year, the earlier businesses start thinking and implementing security practices, the safer they will be.

How to become more cyber secure:

It’s critical to understand that being secure is not a goal; being secure is a journey. As much as companies are striving to reach the status of 100% Cyber Secure, they will never achieve it.

One of the first steps an organisation needs to take on this journey is assessment. They should assess the risks and constraints within the company – whether that’s budgetary, technological or logistical. Once these are established you can set the goal of minimising risks within the available resources.

Risks will vary between their potential severity and the probability of them happening. For example, many attacks may be straightforward but can cause millions of dollars of damage, which for most companies is impossible to recover from.

Adopting the thinking of the hacker for this step is key. Think: “If I wanted to hack my company, where would I start? What would be easiest thing to do? What is the most vulnerable spot?”

Next you need to take this knowledge and implement it into security practices and tools. Detailed, deep and, most importantly, honest understanding of your network infrastructure is crucial for setting these up correctly. The aim is to make it as difficult as possible for a hacker to enter. The more complicated your system is – the more likely that the hacker will move to an easier target.

There are certain principles that are recommended by the industry in order to build a baseline of cyber-proof infrastructure:

  1. Least privilege: Individuals, software and devices should not be granted more privileges than they need in order to perform their work. That applies to both virtual and physical permissions – such as entering the building after hours or getting access to different zones of the building.
  2. Redundancy: Companies should build computer or network components that are redundant, meaning they have multiple instances which make it more difficult for the attacker to attack both or more instances.
  3. Decentralization: What decentralization does is it increases the number of points of failure, which makes your system more robust as the hacker will have to compromise more components in order to get to the desired system or network.

Once some of these security principles and practices have been applied into the network, the rest of the journey is an ongoing process:  Assess – reveal – prevent.

Penetration testing can be performed on a regular basis in order to assess and reveal any newly emerged risks within the infrastructure so you can always maintain and improve your cyber security. As cyber criminals are getting more knowledgeable with every second, this helps organisations be ready to fight back.

2. Underinvesting

The second most common mistake companies make is underinvesting into cyber security. A lot of companies might think at least one of the following:

  • That their ROI in Cyber Security isn’t high enough
  • They are better off investing in improving the product
  • They should prioritise hiring more people
  • Increasing the market share is more important

How to demonstrate ROI for cyber security:

Calculating ROI in cyber security is extremely difficult as many aspects come into play, and not only the monetary ones. The crucial step is helping key stakeholders within an organisation to translate the cyber risk into business risks.

Stakeholders are battling with business risks all the time, but when the cyber risks are not interpreted correctly they can be ignored or miscalculated. Cyber risks can be translated into financial, compliance, operational, strategic, and even reputational costs. Now that users are more aware of their PII data, being sure that a company can protect their data from criminals is a priority when it comes to customer loyalty and trust.

What’s  important is to understand is that all your security challenges can’t be achieved with a single tool. Investing in a combination of tools and adopting a layered approach will bring a higher ROI.

Firewall, email filtering, email archiving, email encryption, data encryption and mobile security are all examples of the layers that companies can adopt in order to safeguard their network. A great approach to finding the right layers and tools for your needs is to consider detection and prevention. Satisfying these two principles is key to building a secure cyber security infrastructure.

3. Not training people

1 in 3 companies are reported not to be training their staff on cyber security best practices. 

The risks of not training staff:

Even though cyber security seems like a very complicated technological concept – it’s actually all about the people. No matter how much money your company has invested in advanced tools or how many layers of security have been placed within your network, it’s all a waste of money if you do not train your staff. A whole network can be infected by an untrained employee opening the wrong link, so it’s essential to conduct regular training for a secure environment.

With the rise of “Bring your own device” culture, the number of potential vulnerabilities can double if not triple. Once  employees connect their own laptops, tablets, or even phones to the work’s network they’re putting the whole organisation’s infrastructure at risk.

How to conduct cyber security training:

Even a simple cyber-awareness training with best practices to follow is a good start.

There are a lot small details that need to be paid attention to and that can be crucial in cyber security. Ultimately, it’s up to individuals to follow the company’s guidelines in order to follow them.

Saying that, these are 10 best practices that members of stuff should follow at a workspace or when working from home:

  1. Do not let strangers connect to a primary network
  2. Do not click on any links or attachments in an email, marketing pop-up, or similar until legitimacy is verified
  3. Do not share any PII data before the legitimacy of the request is verified
  4. Do not leave your devices unsupervised
  5. Use strong password, update them regularly and use multi-factor authentication
  6. Back up all your files
  7. Use firewalls
  8. Update all systems and software as soon as possible
  9. Use the principle of least privileges when it comes to yourself and to your colleagues
  10. Speak to a member of staff immediately if you think you’ve been a victim of an attack

There can be cases where employees are resistant to these types of trainings and workshops. It’s crucial to find ways to incentivise them to follow best practices and communicate the importance of cyber-safe behaviour.

To help employees onboard new best practices, there needs to be a shift within company culture in order for the employees to perceive personal cyber security as part of something bigger than that. That it’s only individual’s risk but also the risk of the whole company. Reliability, trust, responsibility and responsiveness are key attributes of the culture of the company that takes cyber security seriously.

Companies scan additionally consider pre-approving devices to avoid any harm being done. And it’s important to think about physical security, both externally and internally. Not all attacks are as sophisticated as some might think. Simple tailgating, leaving documents open or printed in public spaces, and not locking the desktop of computers can cause lots of damage. Employees need to be trained to question the legitimacy of everything surrounding their workplace security. This also applies to temporary employees such as contractors, interns, consultants, and departed employees.

4. Not disclosing the breaches

Despite multiple regulations and laws being introduced to force businesses and organisations to report any cyber security breaches or attacks, the majority of them are still either not disclosed, not disclosed in a timely manner, or not disclosed in much detail. For example, some companies in Europe are finding loopholes around Non-Disclosure agreements to avoid paying fines after the GDPR came into play in 2018.

Why building trust is important for cyber security:

The feeling of transparency, trust and of shared responsibility needs to be established between businesses, and cybersecurity firms in order to maintain levels of cyber and data security.

Not only this, but it’s important when building customer relationships – people understand the worth of their data and, in turn for providing it, require a show of trust and transparency. This helps you build a good company reputation and rapport with customers.

Cyber security crimes and attacks are evolving exponentially. Even though most of the attacks are following traditional routes, businesses can’t afford to stagnate, become complacent, or stop reevaluating and reinforcing their security measures while attackers are improving. If businesses and cyber security firms establishes some transparency, they could share crucial knowledge and experience of known attacks to help them save millions if not billions of dollars.

Constant improvements, risk assessments, threat hunting, vulnerability testing, penetration testing, data flow evaluation – all of these methods should be part of any business’s cyber security strategy. These methods will only become more effective with the sharing of data.

5. Not mapping data flow

Even though the price of a single data unit is not established, we know it’s very expensive. That’s why organisations must know where their data comes from, where it goes, how it’s stored, where it’s stored and who has access to it.

The security measures we’ve discussed are of course crucial, but in order for them to work effectively you must know what you’re protecting and where it is.

Companies should therefore work through the lifecycle of their data from start to finish to identify the following:

  • The phases where data is in transit
  • The phases where data is at rest
  • All the processes, systems and vendors data interacts with

All of these steps should be followed step by step when mapping the data flow of the organisation. This exercise will be a solid foundation for performing risk assessments and establishing the potential vulnerabilities within your infrastructure, plus it will help with compliance audits and reports.

The approach of every organisation is individual, but there are some crucial questions that every company should ask when making a data flow mapping:

  • What types of data does your organisation possess, process or store?
  • What personal, financial, operational, or intellectual property do you have?
  • How sensitive is the data depending on its confidentiality, integrity and availability?
  • What are the subcategories of data? (Including names, addresses, and credit card information)
  • What is the format of the data? (For example, documents, emails, databases, physical, or media)
  • How is the data processed and what it is used for?
  • Who has access to your data and how is it protected/are you planning to protect it from users without access?

Once your organisation has established the continuous lifecycle of assessing, preventing and reporting you have put in place a solid framework to support your journey of securing your business, customers and members of your team.

By Riversafe

Cyber Security Intelligence Experts

Book a consultation

Arrange a cyber security or data operations consultation with the RiverSafe team today.