Cyber security threats are ever evolving and continue to be a risk to our businesses; what are some of the common ones and why can investing in the human firewall assist?
The latest wave of cyber security attacks targeting New Zealand businesses were designed to disrupt and exploit operations.
In some of the most high-profile cases, a distributed denial of service (DDOS) attack was used, where a large number of devices (bot-net) targeted a particular service with the goal of making it unusable.
Other wider cyber security threats such as extortionware, ransomware, malware, unpatched vulnerabilities and the exploitation of remote access technologies are also increasing.
There are technology tools (devices and software) that can be put in place to counteract some of these attacks.
However, technology is great until people get involved, so the biggest threat is how we, as humans, respond and react. The most common types of attacks that are evolving and developing are social engineering attacks.
What is a social engineering attack?
This is where an attacker uses human interaction (social skills) to obtain information in order to gather or encrypt organisation and personal data to sell or to generate some form of payment.
If an attacker is not able to gather enough information from one source, it may go through another source within the same organisation and rely on the information from the first source to add to his or her credibility.
Social engineering attacks are commonly classified as follows:
Phishing is the most common type of social engineering attack and is usually delivered in the form of an email. However, attackers may also use social media, SMS, or some other form of communication.
The attacker will impersonate a trusted entity, such as a work colleague, bank or reputed organisation, in an attempt to fool the victim into clicking on a malicious link or downloading an email attachment containing malware.
Spear-Phishing is a targeted phishing attack. They are targeted to a specific employee within an organisation, newer employees for example, as they may be easier to fool and compromise.
Whaling targets high-ranking employees within an organisation. These might be CEOs, CFOs or other senior executives, and the goal is to gain access to high-value data. Attackers will also target Government agencies, in an attempt to obtain classified information. A bigger target with a bigger potential payout.
Baiting, as the name suggests, is where traps are set up in order to entice victims into handing over credentials or installing a malicious program. The “bait” can be either a physical object, such as a USB drive left lying around, or a link to a malicious website/application, which offers a voucher or a free product or service that users might be interested in.
Vishing is where the attacker uses phone calls to trick the victim into handing over valuable data. The attacker will setup a fake phone number, and call the victim claiming to be their bank, or some other trusted entity, asking them for their account details.
Scareware is designed to scare victims into handing over sensitive information. It often presents itself in the form of a pop-up, informing the victim that they have been infected with a virus, and they need to install their software to fix the problem. Of course, the software they install will be malware. Alternatives try and shame users into paying protection against discloser of their browsing habits to their partners/family or friends.
The best way to combat these daily (per second) threats is to look at your technology solutions, IT infrastructure and potential areas of vulnerability to enable you to put in place tools, systems and a culture that can prevent attacks getting through. You must also have a recovery plan for when the worst happens.
Security technology such as Firewalls and antivirus software should be installed to protect your IT devices and infrastructure; these perform the same kind of functions as gates, fences and locks on your house.
With social engineering threats you should also develop a Human Firewall.
This can be done by educating your team using a continuous security training program that covers what to look for; what procedures to follow; and what notification processes they need to take if subject to a potential attack.
By informing and upskilling your team in this area you can save your business considerable time and money whilst also protecting your professional and commercial reputation.
Prevention is better than the cure, so talk to your IT teams as a matter of priority about whether you have the right security tools, including security awareness training, to protect your business.
Finally, don’t forget that the Privacy Act 2020 comes into force on 1 December this year.
Ensure you are up to date with how it affects you and your business by logging on to the website of the Privacy Commissioner at https://privacy.org.nz/