In the last decade we have seen a huge increase in the use of the Internet around the world and now almost every company has an online presence. The dramatic increase in domestic and business users has made the digital world more complex and as a result, security risks have become more common and sophisticated.
As far as the criminals of cyber world are concerned, the numbers show a steady increase in cyber-attacks, information leaks, and hacks. Here is a list of the main security risks that must be taken into account when implementing an efficient cybersecurity plan:
More and more companies are turning to such systems for their flexibility and ability to store large amounts of information. For this reason, they are an attractive target for hackers, since even a small security breach can be disastrous. To prevent this, companies have to discuss and demand the best security systems from their service providers.
Social media is considered the main threat because of its growing popularity and diversity. With the arrival of Facebook, Twitter, LinkedIn and numerous other platforms, hackers have access to countless attack routes. Social networks connect people, but through chains of friends and acquaintances, accompanied by a convincing profile and unexpected requests for friendship can become the best breeding ground for information leakage and with the help of a system of poor security can even topple large companies.
Internal Risk Factors
Security experts know that some of the most dangerous cyber-attacks come from the inside. These attacks can have a devastating effect, especially since a privileged user knows what data to use or destroy.
Recent studies conducted by the CERT Insider Threat Center at the Institute of Software Engineering at Carnegie University and supported by the US Secret Service have shown that malicious users within organizations are detected only after 32 months.
The most vulnerable areas are financial institutions, such as banks and stock exchanges. Unfortunately, the only way to protect a company from this threat is to carefully evaluate its own workforce, which is itself a very difficult task.
The recent implementation of the new HTML 5 protocol means that there is a high risk of security breaches in this standard. The new protocol allows the connection of several technologies that might not work safely together, which may allow hackers to do their job without being identified. Although HTML 5 has improved a lot in the last two years, it is still a new protocol, and therefore more likely that developers who use it comment on errors that could compromise the integrity of systems. In fact, some experts expect an increase in cyber-attacks.
Advanced Persistent Threats (APTs) are targeted attacks against companies or organizations to try to steal and filter information without being identified. Usually, with the help of social engineering, they gradually break down security barriers until they infiltrate the internal network. APT attacks can be very difficult to detect, mainly because they target the servers and act very slowly and outside the peak working hours. Generally, an APT can be detected when an abnormal traffic change is observed in the system, but the variations are barely perceptible.
Attacks usually focus on common files and contain lots of information, such as Microsoft Word or PDF files. As well, another area that can be exploited are the integrated systems and mobile devices that are increasingly present in the work environment. That is why even the smallest and least used digital devices need to be protected (such as tablets, smartphones and mobile hard disk drives).
Bring Your Own Device is an increasingly difficult phenomenon to control in the workplace as there are more and more devices that can connect to the Internet. The offices are packed with Android devices, iPhones, iPods and a variety of tablets and other devices that can act as gateways for experienced hackers. Users of these devices generally do not fully understand the risks to which they are exposed and expose them to the organizations where they work.
These new devices have a variety of applications installed, some with poor security settings, which may contain malicious software. For example, every modern Smartphone has a built-in high definition camera, a voice recorder, a sensitive microphone and recording applications.
Malware has long been a powerful tool used by many expert hackers. But the new danger comes from precision-driven malware (an evolved type of malware attack). Their technique has greatly improved, the objectives are more specific and are designed to attack specific configurations and components. The most vulnerable systems are social media platforms, including their respective accounts and groups, mobile devices, and remote servers.
Botnets, like other cyber weapons, are becoming more specialized and dangerous. Cybercriminals know that these tools are their best assets and will continue to invest a lot of time, technology and funds in them. Now they become more present through the growing variety of platforms and are distributed easily in almost all systems. Takedowns launched by large corporations such as Microsoft or Adobe works temporarily, and it’s only a matter of time before cybercriminals improve their spam and malware tools. In short, they are learning from every step and constantly refining their attack skills.
Cybersecurity and Businesses
We live in a digital era. Businesses have been transformed, have taken the step and now use the Internet to carry out almost any business activity but do we know what our online businesses are exposed to? Just as you would not leave the door of your offices open you should not forget the importance of the security of your company in an increasingly connected world.
What would happen if your company suddenly lost all of your information or could not access it? For this reason it is important to be aware of the importance of a company responsible and concerned about taking security measures on the internet.
In the digital world of e-commerce there are also robberies, which are more dangerous than those suffered by the owners of a business with physical headquarters. There are organized gangs of cybercriminals specializing in cyber-attacks targeting corporate databases. Internet attacks operate from different fronts, including fraudulent financial transactions, theft of accounts and passwords of customers or the redirection of transactions of customers to fake websites. The damage caused by these attacks is twofold: huge losses of money for the company and a noticeable loss of the reputation of the e-commerce.
Usually, when we talk about cybersecurity in companies, we think of buying a large number of technological elements such as firewalls, antivirus, IDS’s. Contrary to this, many companies do not commit to the security of their information because they consider that implementing security measures and protections against cyber-attacks is an expense and not an investment. Unfortunately, this conception opens the door to great economic losses in organizations.
Protecting the information of the organizations has become a basic necessity, since it is fundamental for the activities of the company to develop successfully, however, in order to implement a security strategy it is necessary to identify the risks that we face on a daily basis. In organizations we can identify the following hazards that could affect the proper functioning of the business:
Abuse of Resources
A common practice is to allow computer users to operate with all privileges, unfortunately, you are granting users to install applications that could put the infrastructure at risk because installing applications without supervision could omit the update of such applications or allow the installation of piracy, in addition to the large part of malicious code (Viruses, Worms, Trojans, etc.) which requires administrative privileges to make changes to our systems.
Moreover, there is no control over the installed applications, hence there is no control over which programs can access the internet, allowing various software that is outside the company’s activities to use the bandwidth.
Information is one of the most important resources of any organization and much of it is stored in computer equipment so that if access permissions are not properly assigned, unauthorized internal or external users would be allowed to have access to information putting at risk the activities of the entire organization.
This type of mail is a problem in general because much of the traffic in the network corresponds to this type of mail, and that its content could include malicious codes or links to sites with content that is inappropriate or dangerous to the computer. Moreover, spam brings another problem because users receive lots of spam and spend a huge part of their time to eliminate these unnecessary emails.
There are various malicious users on the internet who are engaged in attacks against the infrastructure of the organization, these attacks can have several objectives and mainly identify the following:
- Denial of Service
This attack is developed with the aim of preventing users or customers of the company from accessing the specific services offered, whether its e-commerce or online customer services.
- Use of Resources
Some intruders take advantage of the company’s resources to carry out other attacks, for example, an attacker could use the storage of a server to store a large amount of malicious software, decreasing storage capacity for company information.
- Malicious Code
Malicious codes are programs that have the objective of causing some damage to computer equipment or information, in general, they become a problem in many organizations because they affect the performance of computers. In addition, some of them allow access to confidential information or open a door for intruders to take complete control of the computer.
There are other dangers that companies may face, however, they depend on the context in which the organization operates, so it is important to highlight that the level of security established in a company must respond to their protection needs. Contrary to this, companies can also establish appropriate levels of security with the computing infrastructure they already have.
Following a few simple precepts can protect you from many attacks. Bad practices are a major flaw in your organization’s IT security.
Train your employees and collaborators
You need to educate your employees about the major dangers of cybercrime. Encourage them to choose complex and varied passwords and renew them on a regular basis. Always backup your data on a secure medium to prevent loss due to an attack or human error. Establish a computer charter governing the various uses of computer equipment within your company.
Keep your system up to date
Software updates provide access to new functionalities, but also, and above all, to correct any security vulnerabilities. An outdated program is a potential gateway for cybercriminals who would like to access your business data. By keeping your computer system up to date, you limit the risk of attack.
Avoid use of external devices
We speak of external memory devices (USB) that we take to work from home or are passed between employees without having previously been analyzed or formatted to prevent the entry of malware into the computer equipment of the company. The alternative of sharing documents in the cloud is much safer than using USB or other storage devices.
Avoid use of social networks
Another of the daily behaviors of employees that can jeopardize the company’s cyber security: access to their profiles on social networks, reading messages or downloading files, from unverified sources, from their Facebook, Twitter, or Instagram accounts.
Malicious use of corporate mobile devices
Mobile has become one of the main concerns for cybersecurity of the company. Incorporating company e-mails into the smartphone and, for example, connecting from public Wi-Fi networks, can make sensitive data available to cybercriminals and other organizations. Likewise, using instant messaging and file sharing services can trigger the hacking of the smartphone and company’s crucial data.
Beware of emails
Fraudulent emails remain a common technique of cybercriminals. They are used in phishing attempts, scams, or spreading malware. As a result, some essential rules must be applied in a systematic way:
- Verify the identity of the shippers.
- Do not open attachments or suspicious links.
- Stay alert to non-solicited emails.
- Do not respond to a request for confidential information, login confirmations, and passwords or bank details.
Leave without blocking equipment or log out
Taking a break and leaving the job requires that you have configured the automatic locking systems of the company’s equipment in order to prevent anyone from using them. These locking systems must be protected by strong passwords. In the same way, the process of shutting down the computers should not be based on a simple buttonhole (something very common) but should be closed session in each and every one of the programs that were being used.
Your network is your main tool. A bad management of the cybersecurity in the company represents a major risk for the durability of your company. It is essential to put in place the necessary defenses in order to ensure the safety of your company and your customers.
Do not upload files to the cloud without encryption
Data cloud is a good option to avoid the use of external devices that may be infected and jeopardize the cybersecurity of the company. No matter which clouds service you use, you must have the minimum precautionary measures, including encryption of folders.
Do not send bulk emails to clients
It may be for a marketing campaign or a multi-user communication, but it is another of the risk factors for cybersecurity of the company. In many cases, emails are sent in which they appear the emails of an open list of clients which compromises the privacy of their data, an unforgivable negligence for a company that, above all, must watch over the privacy of its users.
Move from layered security to integrated
Many companies have multiple security solutions that have long been the best in their range but are now too costly and difficult to manage. Moving toward integrated solutions where all components communicate and work together will help solve this. For example, if malware deactivates an endpoint’s security software, network security should automatically quarantine that specific device and ultimately reducing the risk of a cyber-attack.
Improve coordinated defense
Cybercrime is a form of organized crime, so your defense must also be organized. That means choosing tools and processes that remove barriers within the company so that everyone can respond quickly to the same cyber-attack. It also means that new opportunities must be sought for legal and practical collaboration with other companies and institutions so widespread attacks can be mitigated and mistakes made by others can be learned.
Cybersecurity has become one of the main concerns of small and medium businesses. Cyber-attacks, data theft, phishing, and ransomware are the known risk, but to what you can avoid them? Avoid the above said behaviors that jeopardize the cybersecurity of the company and stay safe.
We believe it is something that could never happen to our business until it happens. A cyber-attack means a lot of damage at all levels of our company while for the attacker it is a risk, but where do we start protecting our company?
We know that a secure company on the internet is one that has trained its employees in security matters and knows its importance to avoid possible risks and threats in this field. In May 2014 the e-commerce platform eBay admitted to being the victim of a cyber-attack that affected 145 million users. Consequences? Many of them were forced to change their password in addition, during the days following the release of the news of the attack, eBay shares plunged to historic loss.
We are all aware of the changes that the internet has caused in our lives in terms of facilitating access to information and instant communication. Experts say that its potential is almost unlimited and is still in its development phase, from the transformation of social relations to the creation of smart cities, until we operate the “refrigerator and the closet” without moving from the sofa. It will make our lives easier and work more productive.
However, in this age of nonstop changes of technology, it is imperative to take care of the value of the information that we publish on this network, since the potential offered by the internet presents a similar risk when an insecure use can put our private and confidential information (such as the numbering of our bank accounts, data of our company, the privacy of our children, or our own identity) at risk.
Each of us must be responsible for our internet use, especially sharing the data on smartphones among different people. Follow these tips and stay safe:
- Use strong passwords and do not share them between services.
- Review the privacy settings of your social networks and not add strangers.
- Be careful with the information that is published on the internet.
- Install security plug-ins in the browser and use the private browsing option when necessary.
- Always make purchases from trusted websites and have a valid digital certificate.
- Protect your WIFI network properly and use extreme caution when using a private Wi-Fi.
- Do not believe everything you read online, nor forward chain messages.
- Review your browser’s security settings and periodically delete the information it stores.
Cybersecurity is no longer just the responsibility of IT experts, but of everyone. It is us who visit suspicious links, who download unknown files and ignore the security warnings of our applications. And in that sense, the importance of cybersecurity and self-protection lies precisely in being responsible and cautious to avoid risks and surprises.