Do not gamble your company’s future against cyber threats

The series of cyberattack has hit many organizations, especially government bodies and big corporations around the world. Meanwhile in Hong Kong, financial institutions and financial departments of enterprises seem to be more popular targets for cybercriminals, given the value and sensitivity around their data. Seemingly formidable, ransomware can indeed be kept out of reach through preventive measures.
As savvy cybercriminals continue to change their approaches, cyberespionage and ransomware attacks continue to rise. The latest Data Breach Investigations Report published by Verizon outlines how cyberespionage cases originate from phishing emails, while ransomware involves a type of malware and aims to extort money from its victims:

·       Pretexting is on the rise

Pretexting is predominantly targeted at financial department employees – the ones who hold the keys to money transfers. Email was the top communication vector, accounting for 88 percent of financial pretexting incidents, with phone communications in second place with just under 10 percent.

·       Gone phishing: People are still falling for phishing. Around 1 in 14 users were tricked into following a link or opening an attachment—and a quarter of those went on to be duped more than once.

·       Password protection: 80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.

·       Smaller organizations are also a target: 61 percent of victims analyzed were businesses with fewer than 1,000 employees.

A cyberattack can impact every part of a business and have far-reaching, even personal, consequences. To avoid becoming the next victim, it is crucial for organizations to understand the threat they are facing and develop the right mentality to combat cybercrimes.

Here are a few essential tips everyone should bear in mind:

1.      Stay vigilant.
Never use default passwords, as this makes criminals’ lives much easier – it sounds like a no brainer but many fail to do so. It is also important to train your employees on security awareness, and encourage or reward them for reporting suspicious activity such as potential phishing or pretexting attacks.

2.      Access data on a “need to know” basis.
Know your own data, particularly the more sensitive type. You have to know where it resides, who has access to it, and who, in fact, does access it. Also, to prevent your data from flying out of your organization, you must set up controls to monitor data egress. If data leaves, you need to know about it and where it is headed.

3.      Keep sensitive data separated.
If you have highly sensitive information, keep that data segregated by encrypting it, i.e. translating it into a private code. The sensitive data should only be unlocked with a secret password and allow access to those who require it to perform their job.

4.      Taunt them a second time.  
Always add an extra layer of security by using two steps to verify your identity, such as a password and a text message. By implementing two-factor authentication for administrative access to web applications and any other devices with data being stored, it could greatly reduce the effectiveness of stolen credentials being reused to unlock the door to member or customer information. If feasible, it is also recommended to extend the use of strong authentication to your user base.

As new cyber threats continue to emerge and rapidly evolve, businesses need to step up and take a more proactive and aggressive approach to cybersecurity. Always remember, everyone in a company – not just the security experts – needs to understand the threats and how to mitigate them.

It’s time for everyone to take cyber threats seriously.

Patrick Wong is head of Security Engineering, APAC at Verizon