For good reason, cyber security has become one of the most talked-about topics. Both small businesses and large companies now find themselves with a pressing need to take part in this conversation. Internet threats can now affect every aspect of our lives and we’ve seen over the years the severe ramifications for those who don’t take the necessary precautions.
The SolarWinds supply chain attack in 2020 impacted Fortune 500 companies from Microsoft to Cisco as well as high-profile US government agencies—including email accounts at the US Department of Homeland Security! In 2021, the American-owned Colonial Pipeline Company was hacked in early May, disrupting fuel supplies throughout the US East Coast for days.
What all this means is that if even the most powerful enterprises and institutions are vulnerable to cyber threats, and require proper protection, so does your company or small business.
In order to get protection, you have to know what you need protection from.
The list is long and the methods of hacking are increasingly sophisticated, as cybercriminals become more advanced at breaking into IT systems and extracting confidential information. It’s important companies carry out a cyber security assessment to make sure their defenses are up-to-date and designed to withstand common but very effective hacking methods.
While the ways in which cybercriminals carry out phishing are numerous, there’s one aspect they all have in common: the hacker dupes you into clicking a link or attachment to access and extract your confidential information, from your login usernames and passwords to your credit data.
It starts with a message, either an instant or text message, a social media post, a search engine ad, but in most cases, the message will come from an email.
On the surface, the email appears to come from a legitimate source—unless you check the actual address, which might be similar, but not exactly the same as the address from the real source. You’ll see, for example, “Apple”, but if you click to review the address and compare it with the one they’re attempting to imitate, you’ll notice either obvious or subtle differences, spelling mistakes, odd words mixed in.
But since the design and typeface are similar enough, the unsuspecting user will be led to think it’s been sent by Apple, Netflix, their bank, their school, or university. Think about it. Rarely do we check one’s email address when the name that appears is familiar.
The emails prompt you to provide key information with a sense of urgency. Your subscription has expired, your account has been frozen, a purchase you recently made couldn’t be delivered, you need to carry out a routine password change; the ways are endless, but the vast majority will ask you to click on a link or open up an attachment.
If you fall for it, then this can go two different ways (or a combination of both).
The Fake Website
You’ll be taken to a fake website imitating a legitimate one, where you might have an account, such as a bank, a streaming service, and so forth. Again, if you don’t look carefully, the logos, the design, even the phrasing will seem convincing.
You’ll be asked to provide your confidential information to log in, and whatever information you introduce will fall right into the hands of the hacker. Now they can access the account on the real website, the one the fake website was pretending to be. Imagine if this was your bank. The losses will be immense, for both business owners and workers.
The link itself is malicious, and will now proceed to install malware, software designed to gain privileged access to your IT system using a wide range of methods, where it then obtains sensitive data, disrupts or damages your system, spies on or copies your files—the list of malware types and what they do once they’re in your system is exhausting, but in all cases, they are hurtful to you and your business.
For example, one of the most common types of malware is known as ransomware. Once the hacker infiltrates your systems, they encrypt your data or sensitive information, blocking your access and essentially holding it hostage until you pay a ransom by a deadline.
This is a more advanced, personalized form of phishing. Like a spearfisher, here the hacker goes after specific targets.
The hacker does their research on you or your company, learning about the names of the employees, their job positions, some of the projects you’re working on, the services you provide, and of course, your email addresses as well as your phone number.
The cybercriminal uses this information to send you an email posing as someone you know, using the same technique described earlier—the name of the person is the same, but the email address is different. If the email is convincing enough, then you won’t take the trouble to inspect the address itself. The subject line might be requiring you to take action on something relevant to the company, and again, the look of the email will attempt to duplicate the company’s real template.
It’s essentially the same cyber threat as spear phishing, except now the target is a much bigger fish or a whale, that is to say, someone with a higher profile, such as the CEO or CFO. They receive an email that seems to come from one of their employees asking for help to complete a task, or for some sensitive information.
These attacks require much more planning from the hacker because of how elaborate they are. The hacker needs enough information to convince a CEO to either fill out a form, click on the clink, or provide passwords to an employee.
The rest is all the same. You open up a document that installs malware, or you’re asked to provide confidential information. The perpetrator now potentially gains access to your company’s entire network.
In other words, when a website is hacked, not only can the hacker alter or take down the site altogether, but they can also riddle it with links and banners containing malicious links. Any user that visits them will find themselves downloading all kinds of malware or delivering their most vital information straight into the hackers’ hands.
What is credential stuffing? Simply put, this internet threat refers to when hackers use automated bots to try and breach company accounts that use publicly available usernames and passwords already breached on other sites. By replacing login pages on one site with another and entering the same user name and password for a different site (i.e., LinkedIn), they could access valuable information like payment methods and Social Security numbers. Even though LinkedIn no longer stores payment information, hackers can still steal it by looking at credit reports.
The reason this is such a common cyber threat, and a successful one at that, is because so many companies use the same username and password combinations on multiple sites. It’s not hard to find. You can try it yourself: just Google “password list” and see how many results appear with databases of breached passwords in them.
What Cyber Security Protections Do You Need?
The good news is, there are plenty of ways to protect yourself from these types of attacks. As we mentioned before, for phishing scams, take the time to just check the email address and look for misspelled words in the email address or even suspicious links. Train your employees to do the same.
A great way to protect yourself from cyber threats is by having multi-factor authentication. This is a security measure that requires more than just your username and password. Before you can access an account or website from a particular device, it could require something else in addition to the username and password—as a code sent to your phone via text message.
Then there’s password protection. We talked about creating strong passwords, which would be impossible to guess or crack, for you and all your employees. To make life easier, there are password managers which require one master password only you know about, so you can easily administer the rest of them.
Security tools like IDS/IPS, firewalls, and SIEMs help you monitor your networks and alert you of any suspicious behavior.
So remember, protecting your business from cyber threats takes more than just having a great antivirus or firewall protection. It’s about having proactive measures in place that cover each layer of attack so nothing gets through.
Sunvera Software develops next-level software applications from start-to-finish. We are a premier software and mobile app development agency specializing in healthcare mobile app development, custom mobile app development, telehealth software, sales dashboards, custom mobile app development services, retail software development, supply-chain software, ecommerce, shopify, web design, iBeacon apps, security solutions and unified access software.
We are proud partners with Amazon AWS, Microsoft Azure and Google Cloud.
Schedule a free 30-minute call with us to discuss your business, or you can give us a call at (949) 284-6300.