No One is too Busy: Why we are so Vulnerable to Cyber Attacks
By Heather Bearfield, Principal, IT Risk & Assurance Services Practice Group Leader
Cyberattack...arguably the word that keeps the C-suite awake at night. The heart of the nightmare is that no matter how much money a company spends or the resources it dedicates to the fight against cybercrime, every organization is vulnerable to the human nature of its employees. One thoughtless click on a bad link or the opening of a file from an unknown source, and the cybercriminal is in. The damage is done at the moment the employee takes that action, and the implications of the breach start to roll out.
Laxness by employees in complying with corporate IT protocols carries over from poor or uninformed internet habits at home. Many people are under the mistaken impression that hackers are primarily targeting our credit card information. And while it is paramount that we all safeguard our online financial transactions by properly using passwords and encrypted portals, many times it is our email addresses that hackers really want.
Email addresses allow a hacker a potential way in. Once a hacker has your email address, phishing attacks can be launched, including masking emails to appear as though they are coming from a valid source, instructing the recipient to click a link to register for or to access something of interest. The link will release malicious code into the user's environment.
This is not something new. This type of attack is a common occurrence, most often surrounding a media event such as the Olympics or the Oscars, or a high-interest news event such as a terrorist attack or aircraft disappearance. These types of completely preventable breaches occur because we all think we are too busy to take the time to validate links or web addresses ourselves. Look! Someone I know and trust has saved me the time by doing the work for me! I'll just click this link instead of looking it up myself!
These messages usually have a scenario or story:
- The message may state that there is a problem that requires you to "verify" information by clicking on the displayed link and providing information in a form. The link location may look very legitimate with all the right logos and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site, and provide whatever information the hacker is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phish.
- The message may notify you that you're a "winner." Maybe the email claims to be from a lottery, or a website that is recognizing you as their "millionth" clicker. In order to receive your "winnings," you have to provide information about your bank routing number, or your address and phone number. You may also be asked to prove who you are by providing your Social Security Number. These are the "greed phishes," where even if the story pretext is thin, people want what is offered and fall for it, then have their bank account emptied and identity stolen.
- The message may ask for help. Preying on kindness and generosity, these phishes ask for aid or support for whatever disaster, political campaign, or charity is hot at the moment.*
One of the main implications, as mentioned previously, is that these phishing attacks are being used to gain access to your email. Think about what lives in your inbox. Notifications about your banking statement? Your managed care benefits? If so, as we saw with the Anthem breach in 2015, you were probably targeted due to income level, and now the hackers have access to an email from your bank with a link to click to connect them to your account. Now all they need is your password. Do they just click the "Forgot Password" button? Or do they ask for answers to security questions? If security questions, are yours challenging and not publicly available information such as your college mascot? Well, I'm sure your college is listed in your LinkedIn profile, so that answer is easily accessible. What is your mother's maiden name? Are you connected to her on Facebook? If so, there is answer No. 2.
You see where I am going with this. It isn't just that they have your email address; they now have access to numerous pieces of information about you. Make your security questions something simple that only you will remember. For example, use the name of your favorite sports team for every answer. Name of the street you grew up on: New England Patriots. Name of your first car: New England Patriots. Name of your favorite food: New England Patriots.
In conclusion, data breaches are becoming commonplace, but that doesn't mean we can shrug them off because the implications and the fines and fees associated with them are tremendous and ever-increasing. Until we have a single national data breach notification law holding all organizations to the same standard, there will continue to be gray areas. My message for sleepless CEOs and the all the rest of us is: don't be so busy that you unwittingly put yourself at risk. Take the few seconds needed to validate links emailed to you, by opening up your browser and typing in the web address, instead of just clicking through. Simple precautions like this will engender better, smarter web habits that will carry over into the workplace, as well as keep us all safer on our personal laptops.
Source: Webroot, “What is social engineering?”