Like many Canadians, you probably want to take steps to protect what’s yours, like your devices, identity, online privacy, business, family and home; this is why it’s smart to protect your internet-connected devices and guard your sensitive business and personal information.
Criminals and other malicious cyber threat factors (many of which operate outside our borders) take advantage of security gaps, low cybersecurity awareness, and technological developments to comprise cyber systems. They steal personal and financial information, intellectual property, and trade secrets. They disrupt and sometimes destroy the infrastructure we rely on for essential services and our way of life.
In this blog, you will be taken through various ways to ensure you are secure and mitigating risk to help protect yourself against cyber threats in 2021 and beyond.
This content can also be consumed through our on-demand webinar here.
Technology alone cannot protect you from everything, attackers go where security is weakest; the people. Security awareness training is essential for everyone with the goal to reduce cybersecurity risks; many tips that keep you safe at work will also keep you safe at home.
The average cost of a data breach for Canadian companies in 2020 was 6.35 million dollars, with the main source of breaches being compromised employee accounts and cloud computing. Mitigating your risk is essential to avoiding fines resulting from violations. This is mainly due to the increasing complexity of compliance standards being enforced and human error. We recommend putting resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Training and sound cybersecurity policies can fill in the gaps, where technology often fails.
When it comes to being cyber resilient: it’s not just about the technology, it is also the people. Cybersecurity can seem overwhelming but a good first step is putting a security awareness program in place. This program can be very simple and readily developed by you or with the assistance and support of your managed provider. It should start with basic training for staff, and over time expand to include updates and reminders on policies, standards and best practices. Your security awareness plan can include a regularly scheduled review to update existing security measures for your business, including adopting new means of protection both software and hardware as needed.
Training and educating personnel is vital to having a strong cybersecurity system in place. Choose topics that are simple, focused and concise. Messages should be repeated, however, it is important to engage with personnel in multiple ways to avoid having your messages ignored. For example, spam advice can be reinforced through emails, posters and staff meetings; you could even supplement this with periodic quizzes, contests and rewards to keep employees interested and involved.
Cybersecurity is safety; we must protect our computers and data in the same way that we secure the doors to our homes. We must behave in ways that protect us against risks and threats that come with technology, protecting access to our computers and information. For example, antivirus software firewalls etc.
Cyber-attacks cause the most security incidents accounting for 31% of all publicly recorded ones. When it comes to the leading cause of breach records, internal errors top the board causing 83% of them; internal errors are frustrating for employers who have no one to blame but themselves. It's their responsibility to educate staff on the security risks they might introduce and show them how to avoid costly mistakes; users must be aware of the threats that exist in order to properly detect and prevent them. You should care because it can affect your business, reputation and your bottom line. There are many attack vectors including Phishing, Vishing, Smishing, Ransomware, Crypto Hacking and many more.
The Office of the Privacy Commissioner of Canada reported that over 19 million Canadians were impacted by over 500 data breaches in a 6-month period from January 2020 to June 2020. This means that 1 in 2 Canadians were impacted.
Of the 500+ incidents, malicious outsiders made up three-quarters of breaches (74%), an increase of 23% from the last six months of 2019.
However, this source accounted for only 13% of all stolen, compromised or lost records. Accidental loss accounted for 18%, malicious insiders for 8%, and both state-sponsored and unknown accounting for less than 1%, with one incident each.
While malicious insider attacks only made up 8% of all breaches, the number of records compromised was 20 billion which is an increase of over 4,114% from the previous six months. Geographically, North America makes up the majority of all breaches and the number of compromised records, both over 86%.
Phishing refers to a type of Social Engineering. Consisting of the use of emails that appear to originate from a trusted source to trick a user into entering valid credentials at a counterfeit website.
With the coronavirus, an increasing number of reports indicate that cybercriminals continue to exploit the pandemic for malicious purposes. In an effort to help individuals know how to spot phishing scams, we would like to offer a few tips based on common practices and tactics that cybercriminals use to take advantage of unsuspecting victims.
Phishing and other attacks are increasing in frequency, and unfortunately, sophistication. However, there are a number of common indicators of a phishing attack; knowing what to look for goes a long way to protect yourself against attacks. If you spot any of the following tip-offs, proceed with caution:
Spear phishing is effective because phishers create emails that seem genuine: they contain company logos or trademark information, the subject line is relevant, the message is pertinent. Given receivers’ desire to trust, it is easy for them to believe that these emails are legitimate and click on the links or open the attachments.
Typically, the e-mail and the website will look like they are part of a trusted organization with whom the user is familiar.
Here are five ways to spot phishing attacks.
When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
If you’re not sure, contact the sender directly via another communications method (e.g. phone)
Do:
Don’t:
Two-factor authentication, or 2FA, is one of the best ways to protect your personal or financial information. When you log onto a site — say your online bank or credit card provider — you’ll have to provide your username and password as usual. If you have two-factor authentication enabled, the site will then send a text or email to you with a code. You must enter that code before you can complete your log-in to the site.
Ransomware is a new type of malware that encrypts documents, pictures and other files, making them unreadable. The attacker then holds the decryption key for ransom until you agree to pay money, usually through an untraceable method such as BitCoin or other digital currency.
Ransomware assumes that you’ll pay to recover your files – if you back them up regularly, you may not need to pay the ransom which in many instances can put you in jeopardy for potentially aiding and abetting a criminal or terrorist organization.
A Ransomeworm is an independent program that replicates itself and sends copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate. Worms are more sophisticated viruses that can replicate automatically and send themselves to other computers by first taking control of certain software programs on your PC, such as email.
Cryptojacking is an attack that uses scripts to mine cryptocurrencies within browsers without the user's consent. Cryptojacking attacks may involve loading cryptocurrency mining software to the victim's system. However, many attacks depend on JavaScript code that does in-browser mining, if the user's browser has a tab or window open on the malicious site. No malware needs to be installed as loading the affected page executes the in-browser mining code.
Cryptojacking prevention methods vary according to whether it’s browser-based or malware-based, however, they generally align with many security best practices. To stop cryptojacking in your browser, it’s a good idea to use a legitimate adblocker. You can also use a script blocker like NoScript, or just disable JavaScript in your browser.
Alternatively, stick to reputable websites. Most of these won’t use cryptojacking as a funding model, and if they do, they are likely to notify you and ask for consent beforehand – the negative publicity that comes from secretly using cryptojacking just isn’t worth it for most reputable sites.
Of course, attackers still can compromise the site and insert cryptojacking scripts. While reputable sites tend to have better security, their vulnerabilities can still be taken advantage of occasionally. Due to this threat, using adblockers and automatically blocking scripts from running is a more universally secure option.
As for cryptojacking malware, you can avoid it in essentially the same way you avoid other malware. Important practices include:
Mobile devices are the new threat landscape. Mobile malware, as its name suggests is malicious software that specifically targets the operating systems on mobile phones. There are many types of mobile malware variants and different methods of distribution and infection.
As more users are steadily moving away from desktop operating systems and favouring mobile devices instead, it was only a matter of time before hackers switched tactics. Right now, the volume of mobile threats is a mere fraction of those that target desktops. However, as more and more sensitive and potentially high-value tasks are carried out on mobile devices, mobile security threats are fast becoming a growing concern.
How do you protect yourself:
SMiShing: Like phishing scams, cybercriminals attempt to trick people into downloading malware, clicking on malicious links or disclosing sensitive information. A SMiShing attack is launched through text messages instead of email. Criminals also use phone calls, called “vishing,” or voice phishing, to steal information and money. They are deceptive phone calls to scam private information such as passwords, credit card numbers, financial details.
Here’s how you can avoid falling for the latest tricks.
Remember:
One in every 142 passwords is ‘123456’: a study released last month showed that “123456” is still the most widely used password on breached accounts.
More than 1 billion username and password combinations were leaked online from various corporate data breaches, revealing some alarming results:
Only 8% of analyzed passwords were unique, with an average length of 9 characters. 20% of the passwords contained letters only and 15% displayed just lowercase letters.
Making matters worse, the analyzed data was gathered from various data dumps, including some roughly five years old. User behaviour has not improved over time, and there is no doubt that cybercriminals have exploited this carelessness.
This statement can be backed up by the conflicting state of Internet users when it comes to their account security. In a May report issued by LastPass, 80% of respondents said they were concerned with having their passwords stolen. However, 66% of participants use the same password on their online accounts, and 53% have not changed their passwords in the last 12 months.
Taking into consideration the vulnerable state of the digital landscape, users should start focusing on the security of their online accounts. It might be time-consuming for some, but can you put a price on your account privacy and safety of personal information? Good cyber hygiene practices are the first step, start with analyzing your password re-use and complexity.
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:
For enhanced security, consider using a passphrase instead of a password. A passphrase is more secure than a regular password as it is longer, more complex and unpredictable, making it very hard to guess — even with the software tools that cybercriminals use. Be creative. Use the first letter of each word of a memorable sentence or phrase, then make it even tougher by changing some of the letters to numbers (e.g. use a "3" to replace an "e"). Passwords are easy to guess, especially when they are any of the words that continue to be the favoured security solution for a majority of users--i.e., password, 123456, qwerty, etc.
With the volume, sophistication and complexity of cyberattacks continuing to grow, companies need to remain resilient by putting training, policies and procedures in place. These 3 things will ensure all employees are educated, aware, and know-how to navigate these complex situations. Implementing the tips we outlined above will help your business on the journey to ensure the security of the company, client and personal data. We encourage your business to research cybersecurity in the specific industry you are in, the various types of attacks, and common current attacks happening.