Cybersecurity Awareness Month just ended, but don’t look away. Cybersecurity investigators are calling this year “memorable [in] the murky world of cybercrime,” saying that “financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”
The 2022 Verizon Data Breach Investigation Report (released by that team of investigators) identifies the top breach varieties: Use of stolen credentials; ransomware; and phishing.
“The main ways in which your business is exposed to the internet,” the researchers write, “are the main ways that your business is exposed to the bad guys. … This is followed by carelessness, which is associated with errors such as misdelivery and misconfiguration.” In fact, this year 82 percent of all breaches involved what the researchers call “the human element.”
We talked with Colorado Springs cybersecurity experts Dr. Erik Huffman and Rodney Gullatte Jr. — who see that “human element” up close — for their take on the risk landscape.
Huffman, a cybersecurity researcher and cyberpsychologist, says the threats are real and always growing.
“Security does not exist. We all accept certain levels of insecurity,” Huffman said. “Banking online inherently has a risk. Sending emails has a risk. Being active on social media has a risk. However,” he emphasized, “we are in control of our behavior in these environments.”
Every individual and business can minimize these risks by practicing the basics in cybersecurity. “If we do not take ownership and responsibility of our behaviors, things will only get worse,” Huffman said.
“Cybersecurity professionals cannot patch human behavior. In the end, people are the difference between data breach and continued success.”
Gullatte, who is certified ethical hacker and CEO of Firma IT Solutions, gives examples.
“Small businesses are still in trouble, ransomware is increasing exponentially, and credential stealing is a big deal — that’s your username
and password,” he said.
Turning on two factor authentication is critical to preventing credential stealing, Gullatte said, “but the hackers know 2FA is important so they’ve come up with ways to attack that also — and the only way they can attack that is through you.”
That could come as a text message or phone call from someone pretending to be tech support or from Microsoft or from your bank, he says: ‘We’re trying to fix this issue you have — send us the code you just got.’ That means a hacker has already figured out your password (likely because you haven’t changed it in a long time, or you use it across several applications, or it’s too simple) and now the two factor authentication is the only thing blocking their access to your company’s accounts or systems. So they trick you into giving them that two factor authentication code.
“Once they have that, you’re done,” Gullatte said. “They got you. And it sucks. You don’t want to be that person.”
People are surprised that mistakes like these usually can’t be fixed, he said.
“No, nope,” he said, “nobody’s gonna be able to help you with that” once you’ve handed over the two factor authentication code. “And unless it’s multi-million dollars, the FBI ain’t helping you either.”
The Verizon DBIR confirms credentials and personal data are the major targets for cybercriminals. “We’ve long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system,” the authors say. “Much like the proverbial wolf in sheep’s clothing, their actions appear innocuous until they attack. … Attackers are frequently exfiltrating personal data, including email addresses, since it is useful for financial fraud. There is also a large market for their resale.”
Gullatte has seen it. “There’s a methodology to hacking,” he said. “You’re not going to see a big skull and crossbones on your screen: ‘You owe money in order to get your data back.’ Sometimes these guys want to lay low. They’ll sit there and watch.
“I had a guy in a business here that had a keylogger on his computer for two years by the time I got there — and this is the computer that they use to take credit card payments over the phone, to write invoices; this is their main money-driven computer system that their admin used. So this keylogger [meant] everything that they typed on that keyboard — usernames, passwords, websites, all those invoices, the names, addresses, credit card numbers — was sent to [a hacker] every night for two years.”
That company was using a cloud system they thought was secure, Gullatte said, “but your cloud is only as secure as the computer you use to access the cloud.”
The Verizon DBIR gives suggestions to make your business less vulnerable: “Use antivirus to remove bots; implement patching, filtering and asset management to prevent exposed vulnerabilities; and standardize two-factor authentication and password managers to minimize credential exposure.”
But most businesses will need expert help to do this correctly and consistently. Here, Gullatte urges business owners to choose their cybersecurity and IT professionals carefully. “There’s people that do this kind of work that aren’t qualified to do it, and there’s a lot of these companies operating with no accountability. When they screw you, or make a mistake because they’re inferior, there’s nothing you can do about it,” he said. “They don’t care. They just move on to the next one.”
Cyber and IT professionals “who are serious” should have certifications, belong to a chamber of commerce, and be part of the Better Business Bureau, Gullatte said.
“The certifications mean they actually cared enough about their profession to be the best and prove their knowledge — and prove to you that they know what they’re talking about,” he said. “The chambers of commerce and the BBB are so you [as a client] have
somebody to complain to.”
Ask about certifications, do your research and read your contracts, Gullatte said. “Don’t do a handshake deal for somebody to manage computer systems — that’s unsafe. People doing that, though,” he said. “This is not a game. It’s not worth being cheap and just checking the box. You really need to put some work into taking care of your stuff.”