2020 will bring four major cybersecurity threats to businesses around the globe: bad password use, phishing schemes, accidental insider threats and mismanaged account access. None of these threats are novel, but going into 2020 the difference isn’t where the weakness lies, but how hackers’ tactics have changed.
#1 Bad Passwords
Passwords are one of the first places a hacker targets. Why? Because passwords are created by people. People are easier to hack than technology. If you know anything about a person, guessing their password becomes that much easier. People use information they can remember for passwords, typically nouns and dates tied to their lives. And in 2020 lives are very visible on social media. Each time we post we are doing a little bit of the hackers’ job for them.
Make passwords longer, if your passwords are less than 14 characters, go change them, we’ll wait… Capitals and symbols no longer matter as much with the advent of programs designed to hack passwords. The length is what makes it difficult for a hacker to guess. The longer the password, the more combinations a program has to go through to hack it. It’s not foolproof, but it will stall an attack. And if you make it long enough, it could stall for eons. Instead of a word or 2, use a phrase that has nothing to do with yourself, or at least nothing you would post. For example, “the yellow wallpaper in the old room is dull on monday” takes basically forever to hack, doesn’t contain personal info and there’s no numbers for letters. ($ for the letter S etc., you think H4ck3r$ don’t know your tricks). Doing this will immediately makes a your business less hackable.
Finally, implement multifactor authentication. Having MFA on company systems not only adds a layer of protection, but it should also trigger an alert if someone is trying to hack you. Knowing that an attack is attempted gives you the time to lock systems down and track the attack. Tracking may not lead to anything, but the hacker will think twice before targeting your business again.
#2 Phishing Attacks
This is not a new threat, nor is it a new tactic used by hackers to gain access to your information. The difference now versus five years ago is the sophistication of the schemes. Phishing schemes are morphing into full fledged social engineering schemes. Email protocols that were designed in the 80s and 90s have had decades of study for vulnerabilities. Hackers can now use tools where an email will look absolutely legitimate when it is not. There will be an accurate logo, words spelled properly, punctuation in appropriate places, and no real indication that it is a bad email. It will 99.99% even look like it came from the email the hacker is spoofing. Often these emails, instead of delivering virus’ or trojans (a decades old method), will instead lead you to on click links and log into fake sites where your information is handed over and you are none the wiser. This can result in catastrophic problems if you’re using single-sign-on information, recycling passwords on various sites or entering you social, birthdate or other info used to reset passwords. The hacker now has what is needed to access your business’ large digital footprint.
Avoid clicking links in unsolicited emails, even from companies you trust. While you’re at it, don’t even read someone a code that has been texted to you by a company (just don’t). Always call a company or go directly to the companies site via your browser and login to deal with an issue. They should know about the issue and be able to verify its real. If you call, don’t trust a phone number in the email. And when in doubt, ignore or delete it. Even if the issue seems serious, almost all legitimate companies will follow up with calls and paper mail if necessary. And if the company doesn’t recognize the email you received, tell them about it or share it with them so they can warn other customers. Also share it with your companies IT department so they can block attempts to employees and co-workers.
#3 Mismanaged Account Access
Not everyone needs access to every system. Businesses create new accounts all the time for new employees. But giving them access to everything the business has to offer is an unnecessary risk. It is better to set up new employees with limited account access until they are trained on how to properly use systems. It should be noted that they may not need access to many systems. Granting unnecessary access to systems creates a larger surface area for hackers to target.
Follow the principles of least privilege when granting accounts. Only make accounts when absolutely necessary, and limit access to only what is necessary to accomplish tasks. Don’t create accounts for just in case scenario’s, and don’t leave inactive accounts on systems. When employees no longer need access, remove it. Virgin accounts (accounts that are never used) are a gift to hackers, especially ones that are assigned with bad password like Password1$.
#4 Accidental Insider Threats
When someone who is supposed to have access to something doesn’t protect their credentials or access properly, you have an accidental insider threat. For example, making something publicly accessible to get it to work and forgetting to make it private again, leaving it open to the world. This kind of threat can create devastating exposures because the people you trust often have access to more of the business’ information. These types of exposures usually result in near immediate abuse on the dark web as hackers are literally scanning for these accidents constantly.
This is one of the hardest threats to defend against. At the end of the day, training staff about the security risk they can create and monitoring for exposures is about the best you can do. Of course, following all other security principles like those discussed here will help to reduce your risk, but ultimately these things will happen. So above all else, train your staff to report them right away, because minutes count when these things happen.
If you want to protect your business from a cybersecurity attack, a good place to start is by assessing your risk in these categories. By forcing employees to use stronger passwords, understand phishing emails and how to resist, not giving unnecessary access to employees and ensuring that those with access protect their credentials and access, you give your business a better chance at preventing an attack.