In 2018 the most common fraud affecting UK businesses was cybercrime. Accounting for almost half of all fraud (49%), cybercrime is now more common than asset misappropriation and boardrooms are increasingly recognising the importance of proper cyber security infrastructure, with 82% of CISOs now reporting directly to the board.
With such an emphasis on security, you might expect that traditional methods, such as spear-phishing and pwned passwords would no longer be a credible threat. Far from it. Hackers are still disrupting businesses with these techniques, with small growing businesses often most at risk due to a lack of IT security processes and systems in place. The same can be said for private individuals and despite a wealth of information online, users are still getting caught out by relatively primitive phishing scams and other cybercrime methods.
Here I want to take a look at five of the most common hacking methods that are still catching out unwary users and businesses alike.
In 2017 spear-phishing emails were used by 71% of hackers, representing the most “popular” infection technique. End-users are targeted with an email containing a link to a rogue website, or an infected attachment. This is a website that the user accesses regularly, and when they attempt to login, the hacker steals their username and password details.
Although more common at home, business users are also susceptible to such emails. Good staff training is essential in dealing with this threat, educating users to spot suspicious emails.
58% of firms have at least 100,000 folders with global access, representing a huge risk to their data. Once a hacker has breached a network, the first thing they will do is look for unprotected folders. These folders could (and often do) include intellectual property, sensitive data about customers or staff, as well as crucial financial information.
To protect the business, IT should pay close attention to file system access, using security groups rather than global access groups. There should be a regular audit of file servers and data stores, checking that access is applied. The audit should also verify that only authorised users have access to sensitive data.
In 2018 do we still need to talk about passwords? 65% of businesses have at least 500 users who never change their passwords. Using a password that does not expire means giving hackers an opportunity to break in using brute force. Pwned (hacked) passwords can also be found on sites ready for hackers to use.
To counter this threat, IT must enforce a robust password expiry regime with complex passwords. Staff education can also discourage people from writing their password on a post-it next to their screen.
In Q2 2018 the longest DDos attack persisted for 258 hours (that’s nearly 11 days). SYN flood attacks are the most common method; the hacker sends a stream of SYN requests to multiple ports, using fake IP addresses. If the connection requests are quicker than the server can process, it will become unresponsive.
Protection methods have evolved, such as Micro blocks, SYN cookies and RST cookies, but system administrators have to be vigilant to DDoS threats.
Worldwide wearable device sales will grow 26% in 2019. Although not a specific threat type, wearables are a significant threat vector. Owing to the increasing popularity of Bring Your Own Devices (BYOD), businesses need to pay close attention to the security and information risk.
In particular, wearables need to:
Working with cybersecurity professionals, we are well aware of the potential risks of cybercrime. It’s eye-opening though, that it’s now the most common type of fraud affecting our businesses; at 49% it’s almost as much as all the other risks put together.
It’s our job to keep up to date with the latest threats, but we also need to be vigilant around traditional methods too. As has long been the case, the weakest link in any cyber security network is often the human operator so vigilance and education are both absolutely essential. Who would have thought that we would still be talking about passwords in 2018?