It’s hard to remember that the COVID-19 pandemic, Zoom and widespread remote work were new and strange just over a year ago. Together they unleashed a huge learning curve and an alarming new set of cybersecurity risks.
People may be returning to their workplaces now, but the way we do business is forever changed — and cybercriminals have tailored their attacks to suit.
A worrying example: In April, Dutch security researchers demonstrated how a new flaw in Zoom could let hackers gain complete remote control of a PC or Mac. The hack needs no user interaction — just for the Zoom desktop app to be running. It’s one among many threats facing organizations as they continue to adjust to the new ways we work.
No business is safe, and no business is too small to attack, warns Rodney Gullatte Jr., certified ethical hacker and CEO at Firma IT Solutions.
“I hear people calling it ‘overkill’ — the investment and the defenses that you need for your business to be safer,” Gullatte said. “Companies have to realize cybersecurity is an important investment for them to sustain their businesses now. They are all targets. This is a global criminal enterprise — there are cybercriminals out there killing it. ... This is a money thing. Only money matters — whether you’re big or small, the money matters. They want you.”
This week, the Business Journal looks at three cybersecurity threats to watch in 2021 — ransomware, social engineering attacks, and targeting remote devices.
SOCIAL ENGINEERING ATTACKS
Social engineering attacks — in which hackers trick people into breaching security practices and giving up valuable information — are nothing new, but they’re skyrocketing. In 2020, Microsoft found these attacks jumped to 20,000-30,000 a day in the United States alone.
“Social engineering has always been a danger; they’re just getting more sophisticated in their delivery mechanisms,” said Mike Crandall, CEO at cyber risk management company Digital Beachhead. Gone are the spelling errors, bizarre sentence construction, fishy premises.
“They’re really fine-tuning these things,” Gullatte said. “A lot of people have the idea that they’d be able to recognize the wording or the way the attack would come — but that’s not true.”
Hackers use legitimate-looking web pages developed using software available on the Dark Web, to mimic sites like Facebook and Amazon, “and victims don’t realize they’re at the wrong site,” Crandall said. “So people are clicking the links. … And just one click is all it takes.”
Cyber experts have long urged businesses to educate employees on how to avoid getting sucked in by these attacks, which increasingly contain highly localized lures and convincing details. The trouble, Crandall says, is most companies tackle it the wrong way.
“It’s bringing the horse to water, but you can’t make them drink,” he said. “If you train them and train them and train them, you’re doing your due diligence — but it just takes that one person who doesn’t pay attention to the training, doesn’t care about the training, is confused about the training, and you’re still vulnerable.”
Crandall recommends “varied training — consistently — versus the annual death-by-PowerPoint i-training.”
Stagger the training, make it more frequent, and make sure it’s “always different and dynamic and grabs some attention, but isn’t overly long,” he said. “That’s more likely to keep it right in your head, more than ‘I think I remember I got that last year.’”
In addition to revamping their cybersecurity awareness programs, businesses should be updating patches, adding anti-malware programs, using secure passwords, and securing WiFi, routers and VPNs.
Ransomware exploded as the cybercriminal’s weapon of choice during the pandemic, as more companies moved to digital work. A study by cybersecurity company Deep Instinct found ransomware incidents jumped 435 percent between 2019 and 2020, and Cybersecurity Ventures predicts businesses worldwide will fall victim to a ransomware attack every 11 seconds in 2021.
“On the Dark Web right now you can buy ransomware-as-a-service for $75 — so anyone who just knows how to get on the Dark Web can build a ransomware campaign,” Crandall said. “In the hacker world, if they’re giving away ransomware as a service for 75 bucks — that’s the low end of the technology, which means the quote-unquote ‘hacker professionals’ are using something much more intelligent. It’s dangerous because, again, it’s one click — you just have to get that one individual to buy in.”
Last August, the city of Lafayette, Colorado, paid $45,000 to hackers after a ransomware attack knocked out municipal phone and email systems — but lucrative attacks like that are the tip of the iceberg.
“You tend to hear about the bigger ones and you tend not to hear about the smaller ones,” Crandall said. “If a small mom-and-pop business gets hit with ransomware and they’re asked for $500 they’ll probably pay the 500 bucks and not tell anyone — and then ask around, ‘How do I fix my network? How do I stop this from happening?’”
Small businesses are big targets for ransomware, but it doesn’t have to be that way, Gullatte says.
“The question I want to get out there is: If you got hit with ransomware right now, would you have to pay it?” Gullatte said. “There’s no reason for a company to have to pay a ransom now. There’s no reason, if their [data is] properly backed up, that they should have to pay it. There are a lot of other steps to do around that, but that is an important one.”
And there’s a right way and a wrong way to protect your business, Gullatte added.
“If you don’t know what you’re doing, ask questions,” he said. “Google is not a professional. The person you’re paying $15 an hour to do all your IT is not a professional.”
Businesses struggling to afford expert help amidst financial fallout from the pandemic aren’t alone, he said.
“Come to the Pikes Peak [Small Business Development Center] and we will educate you,” Gullatte said. “I’m a consultant there; we have a bunch of cybersecurity consultants, and we’ve got a way to take care of it that’s not going to break the bank. It’s funded by the federal government, so use those resources.”
TARGETING REMOTE DEVICES
The COVID-19 pandemic saw the number of organizations telling their employees to work from home jump by 88 percent, according to a Gartner study — and hackers welcomed the sudden mass migration to remote work.
Remote devices — laptops, computers, smartphones, tablets, networked cameras and storage devices, and streaming video devices — increase the attack surface exponentially. In addition, employees unfamiliar with the tools and tech needed for remote work are vulnerable, and home offices aren’t set up for maximum security (according to Comcast, the average household is hit with 104 cyber threats a month).
“The cyber threats facing even the most lightly connected homes have grown so numerous and so complex, that ordinary people can barely keep track, much less protect themselves,” said Noopur Davis, chief product and information security officer at Comcast, in a press release.
Comcast also found 80 percent of consumers said they weren’t confident they’d know “if one of their non-screen devices — such as a wireless printer or security camera — had been hacked.” Almost two-thirds said they also shared passwords with family members and friends, a practice that exposes household networks to attacks.
“When I talk about people working from home, I remind everyone that their network now includes their kids, their refrigerator, their cameras — whatever they have in the home,” Crandall said. “So while they may think they’re protecting the data on their laptop by not having the kids play on that laptop, if someone in your family gets ransomware, probably everyone in your home network will get ransomware. Then you bring your laptop to work.
“And if your laptop has been corrupted on your home network and you just VPN into your work office, your work is now corrupt — and you never even had to go in.”
One of the most basic precautions: Change the default passwords on every device in your home network.
“And when you bring a work computer into your home, I’d suggest you go out and pay for a $100 router and segment it,” Crandall said. “Don’t live on the network your family lives on. We love them, but we can’t trust them.”