October is Cybersecurity Awareness Month the perfect time of year for organizations of all sizes to brush up on how to stay safe in an ever-evolving cyber threat landscape. To help keep your organization safe this month and year-round, VikingCloud's expert Cyber Specialists have created an easy guide to the seven most common and dangerous threats targeting organizations.
1. Zero-Day Exploits and Vulnerabilities
The issue
It sounds difficult to protect yourself from software vulnerabilities that software vendors themselves are unaware of, right? This is exactly what zero-day exploits and vulnerabilities are a window of opportunity for attackers to compromise a system without a defense.
What should you do?
The best solution is to build a robust vulnerability management program to quickly identify and patch vulnerabilities. This program should include the following:
- Regularly scanning your systems for vulnerabilities.
- Employing advanced intrusion detection and prevention. Continuously monitor your systems to stay on top of potential breaches.
- Detecting and responding to threats by using endpoint protection.
2. Sensible Password Security
The issue
Far too often, we are all guilty of practicing weak password security. In fact, 62% of people in professional settings have admitted to using the same password or a variation of that password. Due to our vulnerable practices with passwords, it is believed that in 2021, 81% of confirmed breaches were due to weak, re-used, or stolen passwords. So, what can we do to improve this?
What should you do?
We recommend that all accounts requiring credentialed access should implement a strong password complexity policy or a password manager. Better yet, these accounts should utilize Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA). 2FA is typically done through SMS, however; we recommend transitioning those accounts that use SMS for 2FA to an authenticator application like this or a physical key.
If any account you use supports features such as Biometric ID (Face, Fingertip ID), one-time passwords, or authenticator apps, it is best practice to activate those features.
There are also some more obvious methods you can implement to ensure you're practicing strong password security:
- Don't write down your passwords.
- Don't share your passwords with anyone.
- Don't re-use or use easily guessed passwords.
3. Artificial Intelligence (A.I.) and Machine Learning (M.L.) Attacks
The Issue
As AI and ML technologies become more integrated into various aspects of business operations, whether for customer service, product recommendations, or core decision support, attackers are also leveraging these technologies to create more sophisticated and automated attacks, such as:
- Manipulating AI systems to show inaccurate results.
- Using deepfake attacks to deceive individuals.
- Employing adversarial attacks to alter the input the AI receives.
What should you do?
The answer to detecting and mitigating these attacks is to implement AI-enabled defenses such as adversary training, input perturbations, and ensemble methods to ensure the security of your organization's AI systems.
4. Stop, Think, and Don't Click the Link
The issue
Having your email inbox full of spam and phishing emails is not a welcome sight. What can be worse, however, is falling for some of the tricks used in phishing attacks. Clicking on links or downloading a file from these types of emails can lead to malware making its way onto your device. Unfortunately, the average cost of Business Email Compromise (BEC) attacks was $5.96 million in 2021.
What should you do?
Educating yourself and your colleagues is the most important factor in mitigating the danger of phishing attacks. Here are several factors you should look out for if you suspect an email is attempting to phish you:
- Do you recognize the sender? If not, it's better to proceed with caution. If you don't recognize the person sending you the email, you should look out for other signs, such as:
- Unusual requests for information, i.e., passwords, financial information, access to your calendar, etc.
- Odd-looking links or email addresses. Often, these criminals will try to impersonate a well-known business email and create links that appear legitimate. Try to learn the differences between harmless and harmful links. For example, what do you think the legit link is here? twitter.com/home or twiite.r.com/home
- Sense of urgency. Often, these emails will have a false sense of urgency and will encourage the receiver to send information in the next 10 minutes; otherwise, they or the business is in trouble. In this case, we recommend reporting this type of request to your IT department.
5. Supply Chain and Third-Party Risks
The issue
Your supply chain and relationships with third-party vendors are often what make your business tick. Most organizations rely on third-party vendors and partners, thus making their supply chain complex and susceptible to compromise. The priority for organizations should be to secure their supply chain.
What should you do?
Reduce the risk of your supply chain being compromised this can be done using two pre-emptive and one ongoing method.
- Contractual agreements. Develop a strong contractual agreement between your business and the vendor that outlines security requirements and expectations. These agreements should include clauses that mandate regular security assessments and reporting.
- Vendor Assessment. Conduct thorough security assessments of third-party vendors and partners before establishing relationships. Evaluate their security practices, data handling procedures, and incident response plans.
- Continuous Monitoring: Implement continuous monitoring of third-party activities to detect any suspicious or unauthorized behavior. Regularly review their security posture and practices.
6. Don't Sleep on Security Updates
The issue
Security updates can come at times when all you want to do is put them off. The reality is that these updates should be done ASAP. The reason for operating systems or program updates is to patch vulnerabilities. Not performing these vital patches can leave you vulnerable to a breach.
What should you do?
Our top tip is to turn on your automatic updates. Usually, you can set this to a time outside of your working hours, so the updates won't interrupt your workday.
There are dangers to relying on just this method, and there should be significance placed on using supported applications and operating systems. Stop and think whether there is a reason you haven't been prompted to perform an update recently. Just because it still works doesn't mean it's secure. If the vendor doesn't support and maintain it anymore, there won't be anyone monitoring for new vulnerabilities and releasing updates for that software.
Here are the types of devices you should consider when checking for updates:
- Computers, tablets, and mobile/cell phones.
- Network devices such as firewalls, and wireless router/access points.
- In the case of wireless access points, it's also important to ensure they continue to support WPA2 or WPA3 instead of WEP.
- IoT devices such as your IP-based CCTV cameras or any other "smart" devices.
7. Share With Care
The issue:
Everyone can be guilty of oversharing on social media. The dangers of this can be amplified when you own a business. Cybercriminals can use your published information to make phishing and Business Email Compromise (BEC) attacks much more convincing.
The most simple but costly issue related to social media for a business is stolen social media credentials or compromised accounts. This is often caused by not implementing multi-factor authentication.
In a very real example, a young business owner's Instagram page, which acted as her online shop, was held ransom by a hacker. After building her brand and social media presence since 2014, all her work was taken from her in an instant, costing her nearly 95% of sales. We believe it's worth spending extra time to organize a social media policy to avoid incidents like this. Here's what you can do.
What should you do?
On social media, share with care. Here are our top tips for posting as your business on social media.
- Check your privacy settings. There can often be links from your business profile to external profiles that manage your accounts. Cybercriminals are great at spotting this and will use the information to exploit your business.
- Before setting up your business's social media presence, consider examining the privacy guidelines of the social media platforms. You can find a list of these here.
- Only share information your customers and the public need to know. Your customers will need to know information like opening times and prices. They don't need to know financial performance or employee details.
- Consider hiring a trained social media manager who will know the dangers and best practices of posting on social media.
Summary
Cybersecurity Awareness Month is the perfect opportunity to highlight best practices to help keep your organization safe from threats. Our Cyber Specialists have highlighted seven common threats and best practices for mitigating them.
While organizations should practice year-round cybersecurity vigilance, Cybersecurity Awareness Month gives a reminder to take the time now to review and educate your organization on these common threats and how to avoid them.
Here are the top 7 cybersecurity threats that we covered.
- Zero-Day Exploits and Vulnerabilities
- Sensible Password Security
- Artificial Intelligence (A.I.) and Machine Learning (M.L.) Attacks
- Stop, Think, and Don't Click the Link
- Supply Chain and Third-Party Risks
- Don't Sleep on Security Updates
- Share With Care
We recommend you share this article with anyone you do business with, including employees, business partners, suppliers, etc. This will raise awareness of the threats and risks to a wider audience and help increase their vigilance and ability to protect themselves and their organization. This also provides an opportunity to discuss potential vulnerabilities in your relationships with partners and suppliers that can be proactively addressed. Formalizing and sharing your ordering, invoicing, and payment processes with all staff on both sides will enable both organizations to avoid falling victim to Business Email Compromise attacks.
Read more about VikingCloud's Managed Security Services or contact the VikingCloud team for assistance with ensuring your organization is secure.