Hackers attack a computer every 39 seconds, according to a study by Michel Cukier, a mechanical engineering professor at the University of Maryland. Almost as surprising is the number of people who believe that they’ll never be hacked because they don’t meet the criterion.
News flash: the criterion is having a computer device connected to the internet.
We asked a few experts to help dispel some of these cybersecurity myths and help you understand how and why anyone is susceptible to a cyberattack. (Read 3 Defenses Against Cyberattack That No Longer Work.)
Myth 1: My business is too small to worry about cyber attacks
You may have a small business, but hackers tend not to discriminate. “Targeted attacks are aimed at one company, individual or asset with a specific goal — often leveraging zero-day exploits,” explained Martin Rues, CISO at Outreach.
“On the other hand, opportunistic attacks are searching for a victim using scanning and other traditional methods to find exploitable vulnerabilities.” And he believes that most attacks fall into the latter category.
That’s because the hacker doesn’t need a high level of skill to execute an opportunistic attack. “And this, in turn, makes it easier for an attacker to leave a large blast radius; it is within this blast radius that smaller companies are at high risk regardless of their size or even business function,” Rues said.
This is a common myth that cybersecurity expert Greg Scott, author of “Bullseye Breach: The Anatomy of an Electronic Break-In,” hears all of the time. “Variations include, ‘We’re not doing national security here, so there’s no ROI to spending on security” or “If they want our records, they can have them.” And he said that line of reasoning has two key problems.
Maybe no one wants your data, but perhaps your data isn’t the true target. “Your systems could be part of the path to a juicier target,” Scott said. In case you’re thinking, “Well that’s not my problem, why do I care?” consider the ramifications. “You don’t really want your business labeled as a pawn in a major cyberattack; imagine the negative ROI on all the bad publicity.”
Scott points to two examples. “Attackers used stolen credentials from Fazio Mechanical as a first step in the 2013 Target breach,” he said. “A third party also played a role in the larger 2014 Home Depot breach.”
But there’s another reason why this mentality if problematic: ransomware attacks. (Read How Should Businesses Respond to a Ransomware Attack?)
“Maybe your data isn’t important outside the organization, but it could be devastating if somebody scrambles it all,” Scott said. “Just ask people in the city of Atlanta, Baltimore, or thousands of other ransomware victim organizations about that.”
Myth 2: As long as I change my password often…
Frequently changing your passwords may seem like a good way to stay one step ahead of the bad guys. (Read Simply Secure: Changing Password Requirements Easier on Users.)
But according to Dan Dillman, founder and CEO of A2U, that’s a myth. In the past, he said the industry did advise users to change their passwords frequently — setting them to automatically expire every 90 days.
“What we’ve found — and research validates — is that this was leading users to choose predictable passwords that were easily remembered, which means it resulted in being easier for hackers to guess those passwords too.”
Who can forget the dreaded “password” or “12345” or “abcde” passwords? Birthdays, phone numbers, social security numbers, and any password that can be found in a book, speech, on a TV show, etc. can be guessed or is subject to computer programs that continuously search passwords.
Dillman actually recommends setting passwords to never expire. “Focus on complexity of the password, not frequency of resets,” he advised. “I encourage users to choose their passwords carefully, following best practices for password security, like avoiding passwords they use on other websites or common words and phrases.” An example of a more complex password is ZC!mb&RRax*eK%sn#.1
Myth 3: Policy will protect us
However, strong passwords can only provide so much protection. “Back in 2013, almost 70% of major cyberattacks on corporations included some form of social engineering,” said Brendan Caulfield, cofounder at ServerCentral Turing Group. “This type of threat is still prevalent today, and no amount of policy or password changes will be able to combat this type of vector.”
He said the best defense is education, awareness, and skepticism. “Many companies have embraced training their staff on these topics, but we have a long way to go and the attackers are generally at least one step ahead.” Caulfield said he is suspicious of these types of attacks and always on the lookout for them.
“However, I am targeted multiple times each week and the attacks continue to get more and more sophisticated and sniffing out the bad content can be a challenge — even for someone who is suspicious and educated.”
Instead, he believes that education and training are essential. “Training is not just about specific tactics, but about making sure that you can spot something suspicious.” And Caulfied said you have to be diligent. “Letting your guard down just once can have dire consequences — personally and to the business.”
Myth 4: The bad guys are only on the Internet
While there are some bad actors on the Internet, you can’t ignore the possibility that they may also be sitting next to you in the company’s break room. “There are many high-profile examples of cybersecurity attacks that originated from inside the business,” Caulfield warned.
“Some of these are stories about access and bad actors who had purview into a company’s IP and used it to their benefit and to the detriment of the company.” He provided some high-profile examples:
- A Google engineer stole self-driving car technology and took IP with him when he went to work for Uber.
- In 2017, an employee at Anthem was stealing and misusing PHI (protected health information) for Medicaid subscribers and using that data for personal gain.
- Verizon reports that 58% of reported (important distinction) PHI leaks were the result of malicious or negligent insiders.
These types of social engineering attacks are difficult to spot because employees rarely suspect their colleagues and coworkers — but these are the people who have access to data, PII (personally identifiable information), and IP.
“All companies need to take this seriously and have strict controls around who has access to what,” Caulfield warned. “They also need very rigid on- and off-boarding procedures as well as processes to regularly audit and validate internal security to make sure all employees only have access to what they absolutely need to do their jobs.”
Another option is to implement systems that can monitor for suspicious activity and alert your security team when questionable activity is detected.
Most individuals use social media for personal activity — although companies also use it to advertise, and connect with customers. “They also use it for business and legal purposes, including to disqualify job or school candidates, for school or event safety, and as evidence for legal proceedings,” said Craig Carpenter, CEO of X1. Employees have been fired for posting offensive social media posts, even though they were off duty at the time they wrote them.
“Social media posts have also been used as part of employment proceedings or as exhibits in lawsuits,” Carpenter explained. For example, in an April 2018 court case, (Ha v. Baumgart Café of Livingston), a plantiff’s attorney failed to file a motion on time and was ordered to explain why she missed the deadline. The attorney stated that a family emergency required her to be out of the country. However, social media posts presented to the court proved otherwise and the attorney was ordered to pay a $10,000 fine.
Social media data has also been used in other ways. Con artists have stolen photos of kids to use in fraudulent GoFundMe campaigns, and photos of attractive people are routinely used as profile photos on dating sites — and even Twitter.
Myth #6: My work computer is my computer
If you have a work laptop, it’s convenient to keep your personal information on it. However, Carpenter said this is a bad habit that can cause the employee and company a lot of headaches. “First off, in the US, company-issued equipment is almost always the property of the company — including any and all content on it (via standard verbiage in employee use agreements).” As a result, it can be recalled with no advance notice.
“Second, if a laptop is breached as part of increasingly-commonplace corporate cyber events, that personal content can be stolen and used for nefarious purposes, e.g. extortion,” Carpenter said. “Third, employees may be prohibited from keeping personal information on company-issued devices by corporate policy, setting the employee up for potential company discipline.”
And fourth, because the equipment belongs to the company, he said it could face liability for having non-sanctioned PII on laptops.