This year was laden with cybersecurity challenges pertaining to “opportunistic attackers” and attempts to compromise individuals’ computers for credentials and financial information harvesting. In 2019, new technologies and channels will come to market, opening up additional threat vectors for hackers to explore and attack. As businesses prepare for 2019, below is a list of cyber risks that could impact mid-tier enterprises and their employees, as well as a list of proactive tips for circumventing these potential threats.
Phishing Will Remain King
Although far from novel, phishing or Business Email Compromise (BEC) will remain the primary method of attack in 2019. Hackers could deploy this method as a targeted attack or as an opportunistic “wide net” type attack. Phishing attempts have become more sophisticated over time and can appear to come from one’s bank, asking them to verify bank information after a recent trip, or an email that appears to be from one’s supervisor asking them to download and sign an important company-wide document.
In general, clicking on links in emails is extremely dangerous, especially links that you weren’t expecting or do not recognize. Moving into 2019, be extremely cautious of clicking on links that are sent via email from both known and/or unknown sources.
- Verify with the sender (when possible) that they are the person that sent you the link if you don’t recognize the domain on the link and are not expecting said an email.
- Treat all email links to documents or sensitive login pages as suspect. Links should be automatically tested with sophisticated sandboxes for phishing and/or malware attacks before landing in users’ inboxes. This is best done with sophisticated email security technology (i.e. technology that tests not only signatures and links but attachments too).
- When in doubt, go to a company’s website directly rather than clicking on a link in an email.
Document/PDF Attacks Will Re-Emerge
Cybercriminals will leverage users’ trust in PDFs and Microsoft Office applications as a new attack vector. A typical attack involves either attaching documents to an email (that contain malicious content) or getting users to click on a linked document resulting in a download. Either way, the hacker’s goal is to get an individual to download a random “executable,” disguised as a normal document. The reason this technique remains dominant amongst hackers is because it relies on something technology cannot fix – innate human curiosity. For example, people are likely to click on juicy-sounding attachments such as “Payroll2019.xlsx” or ones that play on people’s fears such as “JohnDoe_IRS_Police_Warrant_Open_Immediately.docx.”
- Pay attention to the newest versions of Adobe Acrobat and Microsoft Office that has patched these issues and continue to update your computer with the newest versions as a safeguard to protect your computer and your data when opening attachments and/or documents.
- Conduct an in-depth analysis of all incoming documents. Treat all documents (via emails, browser downloads and email links) as executables and, when possible, run all downloadable documents through a security software that has sandboxing analysis.
Password Reuse Needs to be Reworked
Due to onerous password complexity requirements, people often re-use similar and predictable passwords across professional and personal websites and portals. In many cases, threat actors can hack into badly designed and/or badly protected password databases on a 3rd tier website and capture full user credentials that can later be used to gain access into personal emails as well as corporate systems.
- Implement cloud-based single sign-on with two-factor authentication for your personal and company websites and databases. Users will be thankful for the convenience and this will eliminate password reuse.
- Eliminate password complexity requirements as well as 8-character password limits. In fact, earlier this year, NIST reversed their stance on regular password rotation as a “best practice” and now recommends creating longer passwords without crazy requirements.
- Integrate cloud-based, SaaS-facing identity management platforms into your company’s cyber-infrastructure strategy to better regulate individuals and devices.
Disconnect Connected Devices
More and more devices (i.e. cars, thermostats, light bulbs, Google Home/Alexa, phones, etc.) are being hyper-connected with little to no oversight. With the insurgence of IoT-based attacks threatening consumers’ privacy, information and identities in 2018, companies need to be mindful of being too-interconnected.
- Do not allow employees to connect “personal IoT” devices to your sensitive networks. Segmented-off guest WiFi networks may be ok for such devices. Physical jacks in the finance department might not be ok.
- Educate employees on the risks and threats associated with linking a majority of one’s account information to smart technology products.
To better prepare one’s company and employees for the above cyberattacks, look to implement cybersecurity processes and strategies that are both layered, automatic and dynamic. Consider leveraging a mix of devices and controls, including: next-generation firewalls, email security solutions, real-time cloud sandboxing, secure mobile access controls, etc. Once deployed, these tips, technologies and tools could potentially eliminate 90 percent of your company’s overall threat surface in 2019.