Yahoo. OnePlus. Adobe. British Airways. eBay. Facebook. JustDial. Nasdaq. Slack. Sony Pictures. Uber. Walmart. What do these seemingly unrelated organizations have in common?
At some point (and in some cases at multiple points), all these organizations have lost critical business data and information to hackers. As a matter of fact, every single Yahoo email account - all three billion of them - was hacked in 2013. While hackers and cybercriminals have traditionally targeted organizational data to get access to customer information, the scope of these threats has increased manifold in the last decade or so. Let us take a closer look at some of the most common methods recently used by hackers to target employees and understand how organizations can fortify their data.
Spear-phishing continues to be one of the most commonly-used approaches by hackers to introduce malware and compromise data security. Spear-phishing links, in email or on social media platforms, seem genuine and trusted, but instead trick the individual into revealing confidential information without their knowledge. Hackers usually rely on the lack of information and awareness of employees, particularly those who aren’t digital natives, to distinguish between authentic and fraudulent emails.
Today, hackers also screen social media profiles to personalize the message specifically for the targeted individual and nudge them to share seemingly harmless personal information. So for example, an employee who likes animals and pets could be sent an email related to a touching story about a pet’s recovery or discounts on pet products with a link for further information. This link can be used to compromise the individual’s device or even the entire network.
Social media threats
Over the past decade, several social media platforms have embedded themselves strongly on our digital habits. Naturally, they have become easy targets for hackers to extract personal information. Cybercriminals have shown tremendous success in camouflaging as genuine users and inducing users to share infected messages and visit infected links. Increasingly, they are targeting HR departments and professionals to get access to employee wages and tax data, and use the same to commit tax fraud and divert tax rebates as well.
While some organizations regulate the use of social media during office hours and premises, many do not have policies in this regard. The increasing trend of BYOD (bring your own device) in start-ups and smaller organizations can diminish the security of the entire network as well. Furthermore, since social scams are usually spread through mobile devices, it increases the possibility of employees falling victim to a scam while being connected to their workplace network. These challenges have become so pressing and urgent that social networking is considered to be the second-largest threat to enterprise technology security in today’s work.
In May 2017, nearly 200,00 employees in more than 150 countries reached their workplace to find their devices frozen with a message asking them to pay a ransom to access their files. The worst-hit countries were Russia, Ukraine, India, and Taiwan from this cyberattack (later dubbed as WannaCry); as per one estimate, the economic losses from the attack were nearly $4 billion. In addition to business, life-critical services in the healthcare industry were impacted in several countries as well. The targets were specifically systems using older versions of Microsoft Windows, which were less secure and more vulnerable.
Since then, thousands of new variants of ransomware have targeted organizations, and their frequency has been increasing ever since. As these types of malicious programs can travel through the network, even a single infected system can compromise the security of the entire server. Ransomware is the worst nightmare for any organization as not only is their business down during the time of the attack, but they might also end up paying a considerable sum as a ransom to recover their business-critical data. While experts advise against making such payments, $130, 643 was paid to hackers during WannaCry.
How to secure your business data?
A growing body of evidence suggests that despite the increasing sophistication of hackers and cybercriminals, the weakest link in the process is humans. Even a single employee who is not adequately trained and does not have enough knowledge to identify these threats is a gateway for hackers and fraudsters to compromise the digital security of an organization. Organizations must not rely on industry leaders or the government to design a comprehensive business security framework, as these threats and challenges are constantly evolving. The only effective strategy to combat these threats is to establish a culture of compliance and fool-proof work processes while also training employees and educating them regularly.
On average, it takes 174 days for organizations to identify a data breach caused by human error and another 57 days to contain it. Many organizations have never been able to recover from these hacks fully and are also offering settlements to users. While the biggest organizations in the world have never been immune to cyber-attacks, cybercriminals are increasingly targeting medium and smaller organizations as well. To sum up, the right time to devise a comprehensive data security plan was yesterday, and you must prioritize training and educating your employees about the many risks that exist in the digital world.