One of our core values is continuous learning. Every member of our diverse team brings unique skills and expertise to deliver for our clients. Part of continuous learning is sharing, so once a month we get the team together for a lunch and learn series we call Knowledge Nibbles.
This month’s virtual learning session was led by Joe Reda, BitBakery’s CTO and cybersecurity expert.
Cybersecurity practices may be straightforward while working from the office, but how can you make sure you stay secure while working from home? You’ve probably heard it said– “a chain is no stronger than its weakest link.” This old saying is now more relevant than ever considering the increase in numbers of cyberattacks since work-from-home has become the “new normal” and security practices may not be followed as strictly as they were in the office.
When a single weak spot within this modern chain is inevitably found, an array of sensitive information could be compromised.
Just look at what happened to Twitter earlier this year when staff were targeted through their phones. The successful attempt let attackers tweet from celebrity accounts like Bill Gates, Joe Biden and Kim Kardashian sharing a Bitcoin scam. It reportedly netted the scammers more than $100,000.
GPS and wearable technology company Garmin also experienced an attack this year when hackers deployed a ransomware tool, rendering programs useless until decrypted. The hacking organization then demanded a large fee for the decryption key.
Could these attacks have been prevented with better security measures? Here’s what Reda advises — you need to know about types of cybersecurity threats, how to identify them, and how to defend yourself against cybersecurity threats.
Types of threats
Attacks like the examples mentioned above are happening more than you may think.
With the prevalence of attacks increasing, Reda says it’s important to understand what types of threats are prevalent in order to defend yourself and your company.
Phishing: Phishing threats are untargeted attacks direct to a large number of people with the hopes that some will be fooled.
- Example: Generic email asking you to reset your password at a well known site
Spear Phishing: Spear Phishing threats use social engineering techniques on specific people to gain privileged information.
- Example: An email from a coworker asking you to help them reset their password
The attacks on Twitter and Garmin are examples of spear phishing attacks. With Twitter, this resulted in the private details of high profile users at risk of being exposed and users had no way to protect themselves. With Garmin, it resulted in huge loss after a five day shortage and a (reportedly) paid ransom of $10 million.
At its core, preventing attacks is about having closely followed best practices set in place for cybersecurity. After all, a hacking organization can’t ransom anything if it can’t breach your system. So, how can you identify a threat before it turns into an attack?
How to identify threats
Reda’s advice? Be paranoid — if something doesn’t feel right, don’t do it. If you receive an email or pop up that seems off, don’t click on any links or follow directions in the email. Some common tells to look for are:
- Grammatical errors: Many phishing emails are filled with grammatical errors, odd capitalization, and misspellings. The emails might also contain odd phrases or sentences that sound a bit off. Read your email aloud. If something doesn’t sound right, or professional, be suspicious. It could be a phishing attack.
- Low-resolution logo: Phishers will often cut and paste the logos of government agencies, banks and credit card providers in their phishing emails. If the logo is of low quality — it’s fuzzy, indistinct, or tiny — this is a sign that the person contacting you doesn’t really work for that company.
- Odd URL: Hover over whatever link the message is asking you to click. This will show the link’s URL. Often, you’ll see that the URL doesn’t belong to whatever company is supposedly sending you the message. Just be careful when hovering. You don’t want to accidentally click on the link.
Got phished? Don’t panic, says Reda. First report it to your IT department, then disconnect from the internet and secure your systems.
How to defend against cyberattacks
Defending yourself against cyber security comes down to being aware of threats, and taking the steps to minimize those threats. The small amount of time it takes to add an extra layer of protection can save you a lot of trouble in the long run like:
- Backing up your information,
- Double checking links,
- Being suspicious of anything that seems off,
- Sending sensitive information using a secure method,
- and using a password manager.
In addition to these things, one of the best ways to protect yourself is through the use of multi factor authentication. When you log onto a site — say your online bank or credit card provider — you provide your username and password as usual. If you have two-factor authentication enabled, the site will then send a text or email to you with a code you must enter before you can complete your log in to the site. This gives you an extra layer of protection, and you can get this protection in a few different ways:
SMS verification: At the bare minimum, Reda advises using SMS as a method of multi factor authentication. It’s free to use, and is supported anywhere.
Authenticator apps: The next best thing is authenticator apps, such as Google Authenticator. While it can be annoying to use from a user perspective, these apps are free to use and are widely supported. Just don’t lose your phone, as you’ll lose access to your accounts as well.
Security keys: According to Reda, security keys are basically like Cadillac of multi factor authentication – they're very, very secure. Because it is a physical device, you do have to buy a replacement every five or so years, and there is higher risk of losing the key. Reda still advises this as one of the best ways to secure your information.
One time codes: Last but not least, one time codes can be used to validate your identity for only one session. This is an extremely secure option, as the code is valid for only a single use and they are not as vulnerable as static, reusable passwords – your actual password is never transmitted over the network.
If there’s one thing Reda wants people to take away from this session, it's that you should become aware of the threats and use multi factor authentication to defend yourself, and your company. Attacks can happen to anyone, and security as whole is only as strong as the weakest link. Now that you know more about cybersecurity practices, take the time to secure your information and start building good security habits.