Like many Canadians, you probably want to take steps to protect what’s yours, like your devices, identity, online privacy, business, family and home; this is why it’s smart to protect your internet-connected devices and guard your sensitive business and personal information.
Criminals and other malicious cyber threat factors (many of which operate outside our borders) take advantage of security gaps, low cybersecurity awareness, and technological developments to comprise cyber systems. They steal personal and financial information, intellectual property, and trade secrets. They disrupt and sometimes destroy the infrastructure we rely on for essential services and our way of life.
In this blog, you will be taken through various ways to ensure you are secure and mitigating risk to help protect yourself against cyber threats in 2021 and beyond.
This content can also be consumed through our on-demand webinar here.
What is Security Awareness Training?
Technology alone cannot protect you from everything, attackers go where security is weakest; the people. Security awareness training is essential for everyone with the goal to reduce cybersecurity risks; many tips that keep you safe at work will also keep you safe at home.
The average cost of a data breach for Canadian companies in 2020 was 6.35 million dollars, with the main source of breaches being compromised employee accounts and cloud computing. Mitigating your risk is essential to avoiding fines resulting from violations. This is mainly due to the increasing complexity of compliance standards being enforced and human error. We recommend putting resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Training and sound cybersecurity policies can fill in the gaps, where technology often fails.
When it comes to being cyber resilient: it’s not just about the technology, it is also the people. Cybersecurity can seem overwhelming but a good first step is putting a security awareness program in place. This program can be very simple and readily developed by you or with the assistance and support of your managed provider. It should start with basic training for staff, and over time expand to include updates and reminders on policies, standards and best practices. Your security awareness plan can include a regularly scheduled review to update existing security measures for your business, including adopting new means of protection both software and hardware as needed.
Training and educating personnel is vital to having a strong cybersecurity system in place. Choose topics that are simple, focused and concise. Messages should be repeated, however, it is important to engage with personnel in multiple ways to avoid having your messages ignored. For example, spam advice can be reinforced through emails, posters and staff meetings; you could even supplement this with periodic quizzes, contests and rewards to keep employees interested and involved.
Did you know: Security awareness training is now being added as a question on most cyber insurance policies.
Why does Cyber Security matter?
Cybersecurity is safety; we must protect our computers and data in the same way that we secure the doors to our homes. We must behave in ways that protect us against risks and threats that come with technology, protecting access to our computers and information. For example, antivirus software firewalls etc.
Cyber-attacks cause the most security incidents accounting for 31% of all publicly recorded ones. When it comes to the leading cause of breach records, internal errors top the board causing 83% of them; internal errors are frustrating for employers who have no one to blame but themselves. It's their responsibility to educate staff on the security risks they might introduce and show them how to avoid costly mistakes; users must be aware of the threats that exist in order to properly detect and prevent them. You should care because it can affect your business, reputation and your bottom line. There are many attack vectors including Phishing, Vishing, Smishing, Ransomware, Crypto Hacking and many more.
Did you know: 1 in 50 URLs is malicious? And Nearly 1 in 3 phishing sites use HTTPS to appear legitimate. In addition, 90% of the malware businesses and individuals encounter is delivered via email Most breaches involve phishing and using stolen credentials.
Quick facts:
- 76% of people will use the same password (or a simple variation) for multiple systems and site
- 35% of individuals who know they’ve been hacked don’t bother to change their passwords afterward
- 49% of individuals admit they click links in messages from unknown senders during work 67% of individuals are sure they’ve received at least one phishing email at work
- Of those who received a phishing email, 40% didn’t report it
How does Security Awareness Training Help?
Reduces Breaches and Infections
- Improve mindset and behaviour
- Create a sense of shared security responsibility
- Reduce over-reliance on technology
Meet Regulatory Requirements
- Implement best data governance practices
- Meet compliance objectives
- Implement affordable cyber-insurance
High Return on Security Investment (ROSI)
- Fewer infections
- Lower clean up/support costs
- Stronger security posture
- Higher productivity
- High-security benefit vs. operational costs
How does Security Awareness Training help individuals?
At Home
- Protect your identity and personal data from theft and fraud
- Secure your devices against viruses and malware
- Keep yourself and your family safe from hackers and spies
At Work
- Prevent corporate network infections
- Stop business email compromise
- Keep critical business data safe
Threat Landscape
The Office of the Privacy Commissioner of Canada reported that over 19 million Canadians were impacted by over 500 data breaches in a 6-month period from January 2020 to June 2020. This means that 1 in 2 Canadians were impacted.
Of the 500+ incidents, malicious outsiders made up three-quarters of breaches (74%), an increase of 23% from the last six months of 2019.
However, this source accounted for only 13% of all stolen, compromised or lost records. Accidental loss accounted for 18%, malicious insiders for 8%, and both state-sponsored and unknown accounting for less than 1%, with one incident each.
While malicious insider attacks only made up 8% of all breaches, the number of records compromised was 20 billion which is an increase of over 4,114% from the previous six months. Geographically, North America makes up the majority of all breaches and the number of compromised records, both over 86%.
Phishing
Phishing refers to a type of Social Engineering. Consisting of the use of emails that appear to originate from a trusted source to trick a user into entering valid credentials at a counterfeit website.
With the coronavirus, an increasing number of reports indicate that cybercriminals continue to exploit the pandemic for malicious purposes. In an effort to help individuals know how to spot phishing scams, we would like to offer a few tips based on common practices and tactics that cybercriminals use to take advantage of unsuspecting victims.
Phishing and other attacks are increasing in frequency, and unfortunately, sophistication. However, there are a number of common indicators of a phishing attack; knowing what to look for goes a long way to protect yourself against attacks. If you spot any of the following tip-offs, proceed with caution:
- Typos
- Person information request
- “Too good to be true” offers
- Scare tactics
- Mismatched URLs
- Questionable senders
Spear phishing is effective because phishers create emails that seem genuine: they contain company logos or trademark information, the subject line is relevant, the message is pertinent. Given receivers’ desire to trust, it is easy for them to believe that these emails are legitimate and click on the links or open the attachments.
Typically, the e-mail and the website will look like they are part of a trusted organization with whom the user is familiar.
Here are five ways to spot phishing attacks.
- The email asks you to confirm personal information
- The web and email addresses do not look genuine
- It’s poorly written
- There’s a suspicious attachment
- The message is designed to make you panic
When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
Don’t be a Phish
Email Attachments
- Attachments should be opened only from trusted senders.
- If you are not expecting an email attachment from the sender, it’s a good idea to call and confirm, before opening the attachment.
- Spam email often asks for sensitive information.
Links in emails
- Never click on the link in an email attachment, except only when you are expecting it.
- If you are not expecting an email link from the sender, it’s a good idea to call and confirm, before clicking the email link.
- If you hover the cursor over an email’s web link description, the link should be displayed on the bottom of the browser. Make sure both of them match.
Trustworthy Web Pages
- Software download should be done only from trusted websites like Microsoft for Windows updates and Office application updates.
- Avoid downloading and using freeware or shareware, since most of them either don’t come with technical support or full functionality.
If you’re not sure, contact the sender directly via another communications method (e.g. phone)
Do:
- Always verify the sender of a message.
- Always hover over web page links (URLs) in email messages to see where they link to – beware URL shortening services (like bit.ly) that may obscure the final website destination.
- Be skeptical of messages with odd spelling/grammar, improper logos or that ask you to upgrade or verify your account.
- Report suspicious emails to your IT department or managed service provider/managed IT
Don’t:
- Open an attachment from an unknown sender. Consider the source and whether or not the file was expected.
- Click on a link from an unknown sender.
- Email someone your username or password.
Two Factor Authentication (2FA)
Two-factor authentication, or 2FA, is one of the best ways to protect your personal or financial information. When you log onto a site — say your online bank or credit card provider — you’ll have to provide your username and password as usual. If you have two-factor authentication enabled, the site will then send a text or email to you with a code. You must enter that code before you can complete your log-in to the site.
Ransomeworms
Ransomware is a new type of malware that encrypts documents, pictures and other files, making them unreadable. The attacker then holds the decryption key for ransom until you agree to pay money, usually through an untraceable method such as BitCoin or other digital currency.
Ransomware assumes that you’ll pay to recover your files – if you back them up regularly, you may not need to pay the ransom which in many instances can put you in jeopardy for potentially aiding and abetting a criminal or terrorist organization.
A Ransomeworm is an independent program that replicates itself and sends copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate. Worms are more sophisticated viruses that can replicate automatically and send themselves to other computers by first taking control of certain software programs on your PC, such as email.
Crypto Hacking/Cryptojacking
Cryptojacking is an attack that uses scripts to mine cryptocurrencies within browsers without the user's consent. Cryptojacking attacks may involve loading cryptocurrency mining software to the victim's system. However, many attacks depend on JavaScript code that does in-browser mining, if the user's browser has a tab or window open on the malicious site. No malware needs to be installed as loading the affected page executes the in-browser mining code.
Cryptojacking prevention methods vary according to whether it’s browser-based or malware-based, however, they generally align with many security best practices. To stop cryptojacking in your browser, it’s a good idea to use a legitimate adblocker. You can also use a script blocker like NoScript, or just disable JavaScript in your browser.
Alternatively, stick to reputable websites. Most of these won’t use cryptojacking as a funding model, and if they do, they are likely to notify you and ask for consent beforehand – the negative publicity that comes from secretly using cryptojacking just isn’t worth it for most reputable sites.
Of course, attackers still can compromise the site and insert cryptojacking scripts. While reputable sites tend to have better security, their vulnerabilities can still be taken advantage of occasionally. Due to this threat, using adblockers and automatically blocking scripts from running is a more universally secure option.
As for cryptojacking malware, you can avoid it in essentially the same way you avoid other malware. Important practices include:
- Staying away from dodgy websites.
- Keeping your software updated.
- Educating yourself on social engineering so that you can recognize and avoid phishing attacks.
- Not pirating files – remember Napster and Limewire for free music and applications?
- Only downloading software from the original source. Watch out for bundles, because sometimes cryptojacking files could be included in the package.
- Using a good antivirus.
- Only download trusted apps from the App Store or the Play Store.
- There are online retailers currently considering using Cryptojacking instead of ads to generate revenue but are worried about negative implications and loss of reputation if they use this method, but some will try.
Mobile Malware
Mobile devices are the new threat landscape. Mobile malware, as its name suggests is malicious software that specifically targets the operating systems on mobile phones. There are many types of mobile malware variants and different methods of distribution and infection.
As more users are steadily moving away from desktop operating systems and favouring mobile devices instead, it was only a matter of time before hackers switched tactics. Right now, the volume of mobile threats is a mere fraction of those that target desktops. However, as more and more sensitive and potentially high-value tasks are carried out on mobile devices, mobile security threats are fast becoming a growing concern.
How do you protect yourself:
- Use secure Wi-Fi. While this won't stop you from navigating to an infected website, using password-protected Wi-Fi connections keeps unwanted third parties from snooping or carrying out man-in-the-mobile attacks between your device and your intended Web destination.
- Watch your email. The devices may have changed, but the threat remains the same: Many attackers still rely on malicious email attachments to infect your phone or tablet. Don't click on links in email and other messages, as these may direct you to phishing or malware websites — this applies to all mobile platforms.
- Be consistent. Only download apps from trusted sources. This ensures that the apps are legitimate and not havens for mobile malware.
- Install antivirus protection. Antivirus and anti-malware solutions are now popping up for mobile devices; install one from a trusted source, then run it regularly to ensure your device is clean. Also, watch out for malware masquerading as virus protection: only download legitimate apps from trusted sources.
- Don't jailbreak or root your device. Doing so increases your risk of infection from untrusted third-party sources. Stay rooted and benefit from automatic security updates and patches.
SMiShing: Like phishing scams, cybercriminals attempt to trick people into downloading malware, clicking on malicious links or disclosing sensitive information. A SMiShing attack is launched through text messages instead of email. Criminals also use phone calls, called “vishing,” or voice phishing, to steal information and money. They are deceptive phone calls to scam private information such as passwords, credit card numbers, financial details.
Here’s how you can avoid falling for the latest tricks.
- Don’t answer calls from numbers you don’t recognize. Bear in mind, however, that vishing scammers sometimes leave voicemails with a callback number. Do not call a number back without checking to see if it belongs to a business you know. Note that most government agencies, such as the CRA, will not call you unless they have contacted you by mail first.
- Do not trust caller ID numbers. Criminals are routinely spoofing legitimate numbers of established companies and services.
- If you are suspicious, even if you recognize the caller’s organization, hang up before you give out any information or do not answer. If you think the call might be legitimate, call back a number you’ve verified independently — do not use your callback function. For instance, you should hang up on a caller who says they are with CIBC but is not your normal contact.
- Do not give any caller personal or company information, even if they know some of your personal information already. Scammers can steal personal information from other sources or find it on the dark web and will use what they know to trick you into giving them more. The fact that a caller knows something about you or your company is not enough of a reason for you to trust them.
Remember:
- CIBC/TD/BMO/Royal Bank, like many businesses, will never ask you for account details unless you call them first.
- Fraudsters pretend to be the CRA, IT support, Microsoft, bank or insurance company. Often, they will use social media to gather information before the attack.
- Old fashioned letters are now being used, as suspicion around email has grown.
Password Leaks
One in every 142 passwords is ‘123456’: a study released last month showed that “123456” is still the most widely used password on breached accounts.
More than 1 billion username and password combinations were leaked online from various corporate data breaches, revealing some alarming results:
- 1 billion credentials were reduced to just 168,919,919 passwords and 393,386,953 usernames
- The most common password is 123456, covering around 7 million entries per billion
- The most common 1,000 passwords cover 6.607% of all passwords
Only 8% of analyzed passwords were unique, with an average length of 9 characters. 20% of the passwords contained letters only and 15% displayed just lowercase letters.
Making matters worse, the analyzed data was gathered from various data dumps, including some roughly five years old. User behaviour has not improved over time, and there is no doubt that cybercriminals have exploited this carelessness.
This statement can be backed up by the conflicting state of Internet users when it comes to their account security. In a May report issued by LastPass, 80% of respondents said they were concerned with having their passwords stolen. However, 66% of participants use the same password on their online accounts, and 53% have not changed their passwords in the last 12 months.
Taking into consideration the vulnerable state of the digital landscape, users should start focusing on the security of their online accounts. It might be time-consuming for some, but can you put a price on your account privacy and safety of personal information? Good cyber hygiene practices are the first step, start with analyzing your password re-use and complexity.
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:
- Length. Make your passwords long, and they should be at LEAST 12 characters and preferably more.
- Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."
- Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months – if you are using 2FA, you can extend this to once per year.
- Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and username in more secure environments, such as banking websites.
- Passwords – Spruce decade knight manager
For enhanced security, consider using a passphrase instead of a password. A passphrase is more secure than a regular password as it is longer, more complex and unpredictable, making it very hard to guess — even with the software tools that cybercriminals use. Be creative. Use the first letter of each word of a memorable sentence or phrase, then make it even tougher by changing some of the letters to numbers (e.g. use a "3" to replace an "e"). Passwords are easy to guess, especially when they are any of the words that continue to be the favoured security solution for a majority of users--i.e., password, 123456, qwerty, etc.
In Summary
With the volume, sophistication and complexity of cyberattacks continuing to grow, companies need to remain resilient by putting training, policies and procedures in place. These 3 things will ensure all employees are educated, aware, and know-how to navigate these complex situations. Implementing the tips we outlined above will help your business on the journey to ensure the security of the company, client and personal data. We encourage your business to research cybersecurity in the specific industry you are in, the various types of attacks, and common current attacks happening.
