Despite the billions of pounds spent on sophisticated cybersecurity, the weakest link remains human. Even after all the awareness training, education and advice, many of the breaches that hit the headlines can be traced back to someone in the organisation – whether accidental or malicious. And with more of us working remotely because of COVID-19, these users are removed from the protection of the traditional network perimeter and local IT support. So, what happens when humans and data collide and how can we prevent more disasters?
All at sea
We have all been getting more phishing emails over recent years but during COVID, phishing has gone stratospheric. According to a recent CheckPoint report, the volume of phishing emails towards the end of last year increased by more than 10 times over just a two-week period. At times during last November, it shows that one in every 826 emails delivered was a phishing attempt.
With more of us shopping online, hackers spotted the opportunity to exploit our appetite for a good deal, while others preyed on our fear and uncertainty around the pandemic, health, politics and the economy. During the scramble for a vaccine, cybercriminals stepped up email campaigns with subject lines like ‘urgent information: COVID-19 new approved vaccines’. Scammers additionally advertised fake antibody tests hoping to harvest personal information to be used in identity theft or health insurance claims.
While we are all more aware of these scams, it is all too easy to be caught off guard or taken in by the increasing level of targeting and sophisticated phishing methods.
Why are we still talking about passwords?
Should we be surprised that a LastPass by LogMeIn study has revealed people still aren’t protecting themselves by using strong passwords and despite heightened global awareness, consumer password behaviours remain largely unchanged?
Its data showed 91 percent of people know using the same password on multiple accounts is risky, yet 66 percent continue to use them. It appears that fear of forgetting passwords is the number one reason for not wanting to update or change them. This is understandable, as most of us get tired of using multiple passwords and then having to reset them. But it doesn’t have to be this way. There are password managers that mean we just have to remember one strong one password as well as and multifactor authentication (MFA) techniques from one-time passcodes sent to a mobile phone or using fingerprint or face recognition.
Whose Wi-Fi is it anyway?
One of the most common places humans interact with technology is using public Wi-Fi. In a local coffee shop, a student connects to the Wi-Fi to research an essay. A businessman uses it to look up his flight information. Meanwhile, a group of friends watch a funny video shared on social media. What they all have in common is they all logged onto the café’s public Wi-Fi network with little if any thought about the security risks.
It appears that we are too willing to accept risks to our online privacy for convenience. There are many risks associated with Wi-Fi, but the main ones comprise the following:
A Man-in-the-Middle (MitM) attack is like having someone eavesdrop on your conversations. An attacker can intercept data transmission between two unprotected endpoints while you’re sipping a cappuccino. Then, while you might think you are connecting to the right Wi-Fi network, you may be tricked into logging on to a rogue access point (AP) with a legitimate-sounding name. This means all communications go through the rogue AP, including credit card details or passwords if shopping or banking online. You may also be redirected to a malicious site which infects your device with malware.
Beware the USB stick
USB media offers a fast, simple way to transport, share and store data when an online transfer isn’t possible or easy. However, their highly accessible and portable nature can make them a security nightmare, via data leakage, theft and loss. There is also the risk of a malicious USB stick infecting a machine and gaining a back door into the corporate network. Last November, tax returns, contracts and bank statements were among ‘deleted’ files recovered from such drives.
According to research by Digital Guardian, there has been an increase of 123 percent in the volume of data downloaded to USB media by employees since the start of COVID-19, suggesting many of us have used them to take home large volumes of data. That means hundreds of terabytes of potentially sensitive, unencrypted corporate data floating around. Also, many as 90 percent of previously-owned storage media devices such as USB sticks and hard drives contain some form of private and business data from its former owners, a new study by Kaspersky has found.
Actions to avoid this risk include blocking the use of the devices completely, covering up the endpoint ports, or by disabling their adapters through the operating system. However, with the vast number of peripheral devices relying on USB ports to function, including keyboards, chargers, printers and more, this will not work for many businesses.
Be careful what you throw away
The chances are if you search though the average office, there will be a collection of old computers, smartphones or external hard drives, for example. But while these may have been replaced, damaged or just finished with, they probably still hold valuable and sensitive business and personal data. When a PC or laptop comes to the end of its useful life, it is all too easy to leave it lying around or discard it – maybe to the local recycle centre. The problem is that even if data is deleted from the hard drive, it is still there and can easily be picked up by threat actors who are prepared to trawl through electrical appliances.
Many organisations use firms to handle the disposal of old IT equipment. But this doesn’t always go to plan. For example, German security researchers discovered easily accessible, classified military information on a laptop sold on eBay that had been decommissioned and sent for recycling. The data included instructions on how to destroy an air defence system.
Time to focus on the data
Traditionally, cybersecurity has focused on stopping the ‘bad guys’ gaining access to systems and data through multiple layers of protection. The truth is that even the best defences will not stop a determined cybercriminal gaining access and if a human provides a helping hand along the way – deliberately or accidentally – then it just makes the job easier.
So, it’s time to focus on the data so all data is protected at rest, on USBs or hard drives, for example; in use, running on applications; or in transit across fixed or wireless networks. If we make sure that all the data is encrypted, all of the time, even it if gets into the wrong hand, it will be rendered useless.
Nigel Thorpe is SecureAge Technology’s technical director