Right now, we are surrounded by technology that allows us to access information about anyone and anything with the click of a mouse. Large organisations use technology to store data for accessibility and efficiency but because of this, can be brought to their knees and resort to using pen and paper after a deadly cyber-attack.
In this post, you will learn why cybersecurity is the most critical topic in today’s technology-dependent world and how companies can defend themselves from possible cyber-attacks.
Importance of Cybersecurity
Cybersecurity is important partly because of the huge costs that cyber-attacks can impose on governments, businesses, and consumers. Cybersecurity Ventures, a US research firm, predicts that cyber-attacks “will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015” (PwC, 2018).
So, why is data on devices prone to attack? It is because human-coded software is full of bugs, which create points of weakness that hackers can exploit. Dr Ian Welch, an internet security researcher and Associate Professor at Victoria University of Wellington explains that “one way that these flaws are exploited by attackers is in so-called “drive-by” attacks, where hackers are able to bypass organisational defences, such as firewalls, and directly infect a victim’s computer. This might be done by infecting a website. The goal is to exploit both the trust of … users and bugs in their web browsers to install a virus allowing the hacker access to the organisation’s network” (Welch, 2016). It is difficult to detect infected websites because, according to Dr Welch, as we “develop new defences, attackers develop new attacks, which means we have an ongoing arms race” (Welch, 2016).
Common Methods of Cyber-Attack
There are three extremely common methods that hackers use to attack organisational networks:
1. Phishing
Phishing involves using emails to steal sensitive data like credit card numbers and passwords, or to install malware onto the victim’s device. ‘Whale phishing’ attacks are also becoming more common. This is where the attackers target a prominent employee. This might involve making it look like the email has come from someone within the company. An example is a staff member getting an email that looks like it’s from the CEO which “could ask them to pay an invoice on their behalf or send them private staff details” (CERT NZ, 2019).
2. Malware
Malware refers to malicious software such as spyware, viruses, ransomware and worms. Malware gains access to organisational networks through points of weakness, especially when a user clicks on a deceptive link or email attachment which then installs the malicious software (Cisco, 2018).
3. Zero-day exploits
When developers discover a bug in a software program or operating system, cybercriminals have a window of opportunity to exploit the vulnerability before it is fixed. “Zero-day” refers to the fact that the developers have “zero days” to fix a newly discovered security flaw, and malware that targets the newly discovered vulnerability is called a “zero day exploit” (Norton, 2019).
Defending Against Cyber-Attacks
According to Dr Welch and other sources, there are four critical steps that organisations should follow to defend against cyber-attacks:
1. Seek advice from experts
First, employ someone who can assess where your company stands against potential attacks. What valuable information do you have? How is it currently protected? Ask the cybersecurity consultant to create a cybersecurity plan or guidebook, which you can follow in case you find yourself under attack.
If you are an IT company that creates software, hiring developers to check code can be a good defensive strategy. Dr Welch, through his research, has concluded that human error triggers most attacks. For example, minor bugs such as buffer overflow from not implementing out of bounds exceptions can be used to “manipulate a computer’s memory to subvert or control program execution” (Rouse, 2016).
2. Install software updates
All organisations should run on secure operating systems, at least Windows 10. The National Health Service (NHS) didn’t follow this advice and was hit by a global cyber-attack which infected 300,000 computers. NHS computers were affected by the ‘ransomware’ cyber-attack which demanded money in exchange for locked computer files. Operation and appointment details saved on the computers were impossible to retrieve without paying the ransom and more than 19,000 appointments had to be cancelled. This attack demonstrated the importance of cyber-security; not taking the appropriate measures can have life-threatening consequences. WannaCry, the ransom-ware, targeted computers running on Windows XP and Windows 7, an outdated operating system which Windows no longer supported in terms of security updates (Trendall, 2008).
3. Educate staff
Training employees in the basics of cybersecurity can be done through meetings and by creating a cybersecurity guidebook for your organisation. The guidebook should lay out the steps to follow and information about who to contact in the case of cybersecurity emergencies. Systems can be hacked through outdated software; therefore, employees need to be informed about installing updates and patches for applications as soon as they become available. Employees should be warned not to double click on doubtful links, and should be instructed to create strong passwords (long random phrases which are easy to remember) and change passwords frequently. Employees should also be educated about the significance of cybersecurity and regularly backing up data; ignoring the risks can result in a loss of money and the leak or theft of confidential data.
4. Implement Two Factor Authentication
To protect your customers as well as your own systems, two-factor authentication should be implemented. This is where the user needs to provide details in addition to the password in order to verify their identity. “You can mitigate credential reuse, sophisticated phishing attacks, and many other cybersecurity risks by using 2FA” (CERT NZ, 2019).
Conclusion
Cyber-attacks can compromise customer and employee information, or even prevent the organisation from functioning as in the case of the NHS. Would you ever want to be in a situation where your safety, health, reputation, or livelihood was compromised due to insufficient cybersecurity efforts? Cybersecurity is necessary not just because it can affect a business’s bottom line but because social welfare and personal freedoms are at risk. As a result, business leaders need to make substantial efforts to protect networks from cyber-attack as well as to guarantee data privacy.
Fariha Tasheem is currently a student at Victoria University of Wellington studying a Bachelor of Science majoring in Computer Science and Bachelor of Commerce majoring in Finance and Management. She enjoys reading, baking, coding and spending time with her family.
Image: Pexels
References
CERT NZ. (2019). Top 11 cyber security tips for your business. Retrieved from https://www.cert.govt.nz/businesses-and-individuals/guides/cyber-security-your-business/top-11-cyber-security-tips-for-your-business/
CERT NZ. (2019). Protecting your business from spear phishing and whaling. Retrieved from https://www.cert.govt.nz/businesses-and-individuals/guides/cyber-security-your-business/protecting-your-business-from-spear-phishing-and-whaling/
Cisco. (2018). What Are the Most Common Cyber Attacks? Retrieved from https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html
Fortune. (2006). These Types of Hackers Are Driving Cyber Attacks Now. Retrieved from http://fortune.com/2016/03/21/cyber-attacks-cybersecurity/
Norton. (2019). Zero-day vulnerability: What it is, and how it works. Retrieved from https://us.norton.com/internetsecurity-emerging-threats-how-do-zero-day-vulnerabilities-work-30sectech.html
PwC. (2018).A Practical Method of Identifying Cyberattacks. Retrieved from https://www.pwc.com/m1/en/publications/documents/wgs-cybersecurity-paper-new-updates.pdf
Rouse, M. (2016). What is buffer overflow. Retrieved from https://searchsecurity.techtarget.com/definition/buffer-overflow
Trendall, S. (2008). NHS £150m Microsoft deal will banish Windows XP. Retrieved from https://www.publictechnology.net/articles/news/nhs-£150m-microsoft-deal-will-banish-windows-xp
Welch, I. (2016). Ian Welch: Waging war on hackers a daunting arms race. Retrieved from https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11659469