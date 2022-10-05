It’s Cybersecurity Awareness Month and the FBI has some stats you should know: Since the pandemic began, there’s been a 300 percent increase in cybercrimes — and 95 percent of those were caused by human error.
Of those cybersecurity breaches, 45 percent were caused by hacking to get unauthorized access to data, 17 percent involved malware, and 22 percent were due to phishing scams. According to the FBI’s data, the majority of these breaches could have been prevented if cybersecurity best practices were followed.
Gov. Jared Polis kicked off Colorado’s celebration of Cybersecurity Awareness Month last night, so today we talked with Colorado Springs cybersecurity experts Dr. Erik Huffman and Rodney Gullatte Jr. for their take on the risk landscape.
As if to drive home the reality that no organization is too small or too big to be attacked, less than an hour after we talked with Huffman and Gullatte, the state of Colorado announced that the Colorado.gov state web portal homepage was taken down due to a "cyberattack claimed by an anonymous suspected foreign actor that targeted multiple state government services and websites across the United States."
We’ll be following that story but for now, we’ll bring you information from our local experts on how to protect yourself, your business and your clients.
Huffman, who's a cybersecurity researcher and cyberpsychologist, says the threats are real and always growing.
"Security does not exist. We all accept certain levels of insecurity,” he said. “Banking online inherently has a risk. Sending emails has a risk. Being active on social media has a risk. However, we are in control of our behavior in these environments.
“If we want to be secure, we must minimize these risks by practicing the basics in cybersecurity. If we do not take ownership and responsibility of our behaviors things will only get worse.
"Cybersecurity professionals cannot patch human behavior," he said. "In the end, people are the difference between data breach and continued success.”
Gullatte, who's a certified ethical hacker and CEO of Firma IT Solutions, gives examples.
“Small businesses are still in trouble, ransomware is increasing exponentially, and credential stealing is a big deal — that's your username and password,” he said.
Turning on two factor authentication is critical to preventing credential stealing, Gullatte said, “but the hackers know 2FA is important so they've come up with ways to attack that also — and the only way they can attack that is through you. So you may get a text message from someone that says, 'Hey, we're trying to fix this issue you have. Send us the code you just got,' or maybe they'll call you on the phone and say, 'This is Bank of America, we found an issue with your account, we're gonna send you a code and let me know what the code is you receive.'"
That means a hacker has already figured out your password, Gullatte said, "and now the two factor authentication is blocking them so they trick you into giving them that 2FA code. Once they have that you're done. They got you. And it sucks. You don't want to be that person.”
People are surprised that mistakes like these usually can’t be fixed, he said.
“No, nope,” he said, “nobody's gonna be able to help you with that” once you’ve handed over the two factor authentication code. “And unless it's like multi-million dollars, the FBI ain't helping you either.”
Misconfigurations and human error are the big issues, Gullatte said.
“People are the weak link still. Even with all the technology I can build into your business, with firewalls and intrusion prevention and all that stuff, they still just send an email — and it looks like an invoice from a client — but you didn't check the email address, and you just click the PDF. Then you're like — 'Oh man, I did something.'
"We had one of our clients do that recently, but when she opened the PDF, our defenses kicked in and blocked everything that was trying to happen. But she still opened it. Don't open it.”
Gullatte urges business owners to take care in choosing their cybersecurity and IT professionals. “There's people that do this kind of work that aren't qualified to do it — but they talk good, and you pay them, and they put you at risk."
Cyber and IT professionals “who are serious” should have certifications, be a member of a chamber of commerce, and be part of the Better Business Bureau, he said.
“The certifications mean they actually cared enough about their profession to be the best and prove their knowledge — and prove to you that they know what they're talking about,” he said. “The chambers of commerce and the BBB are so you [as a client] have somebody to complain to.”
Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month. The Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance lead a collaborative effort every year between government and industry to raise cybersecurity awareness nationally, encouraging people and organizations to actively improve and be accountable for their part in cyberspace.
For more on how to stay safe online, CISA has these resources.