Cybercriminals don’t take time off during the holidays. As we head into a new decade, your company’s data has never been more vulnerable to a cyberattack. That’s because hackers are constantly inventing new ways to target your data. There is no industry that is free from the threat of data theft. Here are eight ways attackers can target your digital assets.
Ransomware remains one of the largest data security threats. This malicious software has gone from widespread attacks to highly targeted hits. In 2019, for example, hackers found they could routinely penetrate governments and hospitals. And there are no signs that ransomware attacks are going to slow down in 2020 in any sector.
Because ransomware typically comes in through other types of attacks, primarily phishing, make sure your antivirus is up to date, your systems are patched, and you’re running an antivirus or a malware program that specifically detects ransomware.
But the best defense against ransomware is a solid set of backups. Use the 3-2-1 rule: 3 copies, saved on 2 types of media, with 1 copy stored at an off-site location. This strategy prevents an attack from holding all of your data hostage. If ransomware reaches your disk-to-disk backup but the same data is stored on a USB drive, your extra copy will still be safe.
- Phishing – when you receive a tailored email that prompts you to give up your credentials – remains a popular tactic. But it’s also evolved to include spearphishing and whaling.
- Spearphishing – Attackers have identified specific employees to target, often those in finance or HR. Rather than using a broad net, they use a spear to hook victims instead. Because the email wording is more personalized, the target is more likely to trust it.
- Whaling – This attack specifically goes after an executive. Like spearphising, the attacker has done extensive homework on their target so they can approach them in a believable manner. A whaling email appears to be from an administrative assistant, the CFO, or a fellow executive – someone the CEO or president would inherently trust. Senior leadership are vulnerable to whaling because they have access to financial credentials and other privileged information, plus they have trust in their staff that can be exploited. To compound the problem, many executives assume they are safe from these types of attacks and don’t take necessary steps to protect themselves.
Attacks in Your Supply Chain
If an attacker can’t penetrate your business directly, they will find a back door through your trusted partners. Your supply chain vendors often have special permissions into your systems – an opening that attackers can exploit. For example, the now infamous Target attack was partially because an HVAC vendor became compromised, a vulnerability that ultimately created an opportunity to penetrate the store’s point-of-sale system.
There is an uptick in managed service providers (MSP) attacks. A subset of supply chain attacks, these are effective because an IT provider typically has administrator access to your systems.
The trouble is two-fold. First, if the MSP isn’t vigilant about their own network, they can be at risk of creating an opening. Second, many MSPs are not well-trained in cybersecurity. Because cybersecurity is evolving so rapidly, you truly need a dedicated person with specialized knowledge to combat it.
Intellectual Property Theft
Data security is often focused on the traditional definition of personally identifiable information (PII), which includes “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” However, that’s not the only type of valuable files your company stores. Attackers are mining for anything they can financially exploit, such as trade secrets, pending patents, and manufacturing processes.
As companies move to cloud hosting, they aren’t always aware of the data security risks. A common misconception is that your cloud hosting provider handles all of the security. But a provider like Amazon Web Services or Microsoft Azure is only responsible for protecting their network – not your website or database. If you don’t take precautions on your end, you could end up with a database that is left wide open or your files being posted with zero defenses.
Social Media Bots
Did you know your business Facebook page, the company’s Twitter account, and even your Slack channels are potential attack vectors? All it takes is one click of a fake download and virus-laden bots can spread malware, steal credentials, and access financial information. Even an employee using your company’s WiFi on their phone can click on a malicious link from their personal social media account and allow hackers into your network.
Are you keeping tabs on legislation that addresses data privacy? GDPR, for example, went into effect in May 2018, though many companies aren’t in compliance yet (adoption is slow in both Europe and the U.S.).
On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect. It applies to any business that collects and stores personal information on “50,000 or more consumers, households, or devices” and “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Utah also enacted a digital privacy bill in early 2019, and other states have similar proposals on the table.
Most businesses have never before had to secure this type of data or be held accountable for purging it. But the bottom line is that we are moving from the outdated concept that a company owns all the data they collect to a mindset that companies are only stewards of the data they hold. The era of carte blanche with consumer data is drawing to a close.