It seems these days almost everyone is aware of the term “cybersecurity.” You can hardly turn on the news without hearing about a new data breach. Does the Colonial Pipeline story ring a bell? Add Covid-19 to the story and you create an environment that is changing so quickly that it is difficult for organizations to keep up with the risks.The fact is, any church, school, or organization can be a target of cyberattacks, and anyone who has access to your network or systems can unintentionally trigger an attack. In this article we will discuss the many factors that have brought about new trends and, in some cases, a renewed focus on certain types of attacks called attack vectors. We will also discuss how the current environment has brought new awareness to organizations about how to address the threats.
Supply chain attacksAt levels unpublicized and unseen before, the cyber industry is seeing bad actors focused on supply chain attacks. This happens when bad actors infiltrate your system(s) through an outside provider of software or services that you use, such as security tools, management tools, or even antivirus software. For example, in the SolarWinds hack, the bad actors targeted, among other things, the software patches of software used across the globe. Once users patched their software, suddenly the bad actors had access to those systems.
This attack provided the hackers the ability to hack a company and suddenly gain access to thousands of their global customers. The scope of the SolarWinds hack seems to grow daily, and since their announcement, other similar attacks have been appearing, exposing tens of thousands of affected organizations.
Aside from the exposure of the data within these organizations themselves, another significant impact from these supply chain attacks is the loss of trust it creates between us and vendors. At a minimum, it gives us pause when considering installing third-party software on our systems, and, ironically, it can even cause us hesitation to trust those systems whose purpose it is to help protect our data.
Consider doing risk assessments on all vendors you and your organization use. Once you understand what steps they take to secure their systems and processes, you’ll be better equipped to know whether you should continue using them. Also, consider limiting outbound network traffic to only what is necessary. Doing this may prevent a bad actor from sending your data to themselves even if the system you use was breached. These are just a few of the steps that can help reduce your supply chain risks.
Remote workAs the Covid-19 pandemic expanded, more organizations turned to work-from-home models. Whether this is a temporary plan or a long-term option depends on each organization. What is clear, however, is that work-from-home is likely here to stay, at least at greater levels than before Covid-19.
As the workforce has increasingly made the shift to working from home, organizations have had to change how they provide employees access to company data. This has led to a substantial increase in awareness and the use of two-factor authentication (2FA).
While the adoption of 2FA is a good thing, it is also important to consider other factors that come into play when working from home. Consider, for example, data privacy. Our homes are not as secure as our workplaces. An employer cannot control who comes and goes in an employee’s home; therefore, it is critical to educate employees about security issues at home, such as screen privacy and whether they should be printing company documents at home. With work-from-home models, the risk for potential theft of company documents or devices is dramatically increased. Have you or your organization considered this and taken steps to mitigate the risk?
Educate yourself and your staff on what they should and should not be doing while working from home. For example, if possible, be sure they have a private work area, a place where a visitor to their home could not see company data on a computer screen. Enforce the rule of no printing or storing of company documents at home. Encrypt the hard drives of your computers to protect the data in case the device is stolen. These steps, and more, can substantially reduce the risk to your organization’s data.
Smishing?You have probably heard of phishing emails—when someone sends you an email pretending to be someone else, trying to get you to perform an action or provide privileged information. But do you know about smishing? Smishing is a new variant of phishing that is gaining popularity among bad actors.
So, what is smishing? Instead of using emails to phish for data, smishing uses SMS text messages sent to cell phones. They are harder to identify than phishing emails because text messages are shorter and consequently have less information in them to help you recognize a fake.
In smishing, the bad actor sends a text message, pretending to be someone the potential victim would believe is legitimate, such as a bank, utility company, or perhaps a credit card. They will suggest you need to click on a link in the text message to verify your credentials or to view some important information. Once you click the link, it downloads malicious software to your device or opens a website that looks so real that you go ahead and provide the information they are requesting.
Have you been smished yet? How about your employees? Will they know how to recognize and deal with it?
These are just some of the current cybersecurity trends. Whether it affects your network, your systems, or a service provider you use, the impact on your everyday life is real. As with most things, education is key. Be sure to educate yourself and your employees or volunteers about how to protect your organization and personal life. And do not forget to share any concerns. When you receive phishing or smishing notifications, let others in your circle know what you received so that they can keep an eye out for anything similar. If your organization has an information technology (IT) department, be sure to let them know so they can take action to prevent others from receiving it. At the end of the day, we must all take responsibility in our sphere of influence.
GlossaryAttack Vector – “a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security” (Wikimedia Foundation, 2021)
Bad Actor – “a person or organization responsible for actions that are harmful, illegal, or morally wrong” (Cambridge English Dictionary)
Cyberattacks – “an attempt to gain illegal access to a computer or computer system for the purpose of causing damage or harm” (Merriam-Webster)
Cybersecurity – the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation
Encrypt – the generic term encompassing encipher and encode
Information Technology – “any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information” (NICCS)
Phishing – “a digital form of social engineering to deceive individuals into providing sensitive information” (NICCS)
Smishing – “the practice of using fraudulent text messages to extract financial data from users for purposes of identity theft” (HarperCollins Publishers Ltd. [n.d.])
Software Patches – “a number of instructions added to a program that has already been translated into machine language, as to correct an error” (HarperCollins Publishers Ltd. [n.d.])
Two-Factor Authentication (2FA) – “a security system that requires two distinct forms of identification in order to access something” (Kenton, 2020)
- Bad actor. BAD ACTOR | definition in the Cambridge English Dictionary. (n.d.). Retrieved September 30, 2021
- Cybersecurity glossary. National Initiative for Cybersecurity Careers and Studies. (n.d.). Retrieved September 30, 2021
- HarperCollins Publishers Ltd. (n.d.). Patch definition and meaning: Collins English Dictionary. Patch definition and meaning | Collins English Dictionary. Retrieved September 30, 2021
- HarperCollins Publishers Ltd. (n.d.). Smishing definition and meaning: Collins English Dictionary. Smishing definition and meaning | Collins English Dictionary. Retrieved September 30, 2021
- Kenton, W. (2021, May 19). Two-Factor authentication (2FA). Investopedia. Retrieved September 30, 2021
- Merriam-Webster. (n.d.). Cyberattack. Merriam-Webster. Retrieved September 30, 2021
- Person, & Stephanie Kelly, J. R.-ault. (2021, June 9). One password allowed hackers to disrupt COLONIAL Pipeline, CEO tells senators. Reuters. Retrieved September 30, 2021
- Thomson Reuters. (2021, February 15). SolarWinds hack was 'largest and most Sophisticated Attack' ever: Microsoft president. Reuters. Retrieved September 30, 2021
- Wikimedia Foundation. (2021, September 5). Attack vector. Wikipedia. Retrieved September 30, 2021
Image credits: IncrediVFX.adobe.com