The hackers; the perpetrators of cyber crimes; the “ruiners” of lives, organizations, and businesses; the individuals; the organized crime groups; the threat actors; the phishing masters are all criminals who are feasting on the need to be connected both personally and professionally in an ever-evolving, highly technical landscape. The desire to be in the know now, up to date on all things now, to have things now, to share all things now, to publish and post all things now, to do business now has made us very valuable targets, both from an information and financial perspective. And this is making cyber criminals millions.
With each click, download, or by inserting some external media, individuals potentially, inadvertently welcome the “ruiners” and malicious code into their personal and/or professional life. Most of the ruiners will sit in the background and wait, often six to nine months, gathering personal, financial, or proprietary information from a system or network. Then they pounce, rendering systems unusable and encrypted. Only by paying a handsome price or ransom can a person gain some freedom through decryption keys. One might think that’s the end, when the system’s restored and data returned; however, with more frequency, the threat actors take the ransom only to sell the data they have acquired on the dark market.
The ruiners hide behind organized crime names, work in groups, or cells, they work alone, they use pseudonyms or handles, use Virtual Private Networks (VPNs), and almost always accept payment via cryptocurrency. With thousands of different types of digital currency, different exchanges, and tumblers it is next to impossible to trace or locate them.
The good news is that most cyber crimes or cyber security incidents or events are caused by human error and thankfully, as a species, are not so removed from our primate ancestors as to not be trained, taught, educated, and shown how to be cyber safe.
There is hope.
To commit cyber crimes, threat actors require intelligence or information on an individual, organization, or business. The best way to gather intelligence is to conduct open-source searches on the clear web, or access information on the deep or dark web. They can also garner information through a technique called social engineering. In this manner they use openly available information-a name, address, email, date of birth,, picture posted, video posted, comment posted-to trick a person into divulging more personal information about their life, finances, or business.
There are many forms of phishing, but people are most familiar with email phishing, where a threat actor will trick you or “fish” for personal information by encouraging an individual to share, click a link or download information in an email. This activity via SMS text messaging is called smishing, and via the phone, vishing.
The need to protect personal, organization and business information has never been more critical. It is important to be aware of both active and passive digital footprints and the technical controls that are, or are not, in place. For starters, when logging in to any device, use a complex password, with biometrics and/or multi-factor authentication. Keep passwords private, change passwords frequently and use a password manager to keep organized. Once logged in, ensure that updates are installed regularly, either manually or automatically, and patch all applications as required and prompted by legitimate providers.
When browsing online, check the settings to make sure that the browser is configured to only be sharing the active information you want it to, and that in the background, passively, information is not being shared. Only navigate to sites that are using the https protocol and only download material that is absolutely required and that is from a reputable site. Review and approve cookies, location settings, and data collection requests.
On a mobile device, remember when downloading a new application from a reputable provider, to always review the default settings and configure them to the most secure. If on a laptop or computer, always have an anti-virus installed and use a firewall and adjust any default settings on routers for maximum security. Never use an identifiable Service Set Identifier (SSID) for WIFI and consider using a VPN. When inserting any sort of external media
into a laptop or computer, ensure that it is scanned and virus free.
When responding to an email, remember that the threat actors like to try trick individuals into sharing information, or they encourage a click, or a download so be especially mindful of responding in a hasty manner. Always double check the exact spelling of email in the To and From lines and make sure that the subject line, date and time stamps make sense. The same logic goes for phone calls and text messages—do you know the sender or caller, does it make sense, were you expecting it?
Lastly, and perhaps most importantly, back up laptops, computers, and mobile devices on a regular basis, to a secure location. A comprehensive organizational cyber strategy should be structured around the principles of govern, prevent, detect and respond—principles that can also be applied personally. The strategy will ensure that organizational technical controls are in place. Cyber security can be complex and having a chief information security officer (CISO), technical staff, or using a managed services model are key.
The strength of an organization’s people will be reflected in the quality of implementation of the controls. Areas that will require strategy, resources, and budget are—governance and risk compliance, IT asset management, third party risk management, digital identity, data protection, application security, infrastructure security, threat intelligence, cloud security, vulnerability management, disaster recovery, business continuity, incident response, forensics, insurance and legal and regulatory industry requirements.
The recommendations provided here are but a snapshot and are not all-encompassing. As we spend more time online, connected, we owe it to ourselves, our families, organizations, and businesses to make every effort to be as cyber safe and cyber resilient as we possibly can. The cost both personally and professionally is too high. Have a plan and don’t click, insert, or download without cause and pause.
