The principle of scarcity says that we value an asset higher when it has a scarce availability, while we tend to think that what exists in abundance has little or no value. It is possible that this theory explains why we do not give importance to the information that we generate as users.
Possibly, this is the reason why cybercrime has turned into one of the most profitable criminal activities of these times, and this situation will continue as long as we ignore how much data our email address or ID number can provide anyone who asks for them.
Things get worse when cybercriminals target companies. The corporate information and the data of the clients are an important part of the economic activity. That is why protecting information should be one of the priorities of companies, but in most of them it is not yet.
The Internet has given us a window of business opportunities that sometimes makes it difficult to perceive real threats. This means that, in terms of cybersecurity, companies are reactive and not active, which means that they only look for solutions when they have been hit by an attack instead of preventing it by the implementation of cybersecurity policies .
But let’s go back to the beginning of the problem.
Why do hackers attack when you are working?
Remember, how was your first day of work?
Surely, it was not one of the easiest.
You had to learn the names of your mates not without delay. They explained to you details of the company while you thought that it was possible that you would forget everything after a while.
But none of that information had to do with how to protect yourself from cyberattacks or how to perform your job more safely.
And why is that a problem?
Because every day we receive dozens of emails from customers, suppliers and advertisers; we manage orders through corporate or third-party applications; and in short, we carry out tasks proper to the activity we perform without the necessary security training.
The next click might end with the ransom of the equipment and the encryption of the data stored in it. Cybercriminals are aware of the lack of security training of most users. They take advantage of it, just as they do with the frenetic rhythm that many workers have in their offices.
Lack of awareness and rushing make up the perfect context for an attack with high probability of success. And part of that success is determined by the methodology that cybercriminals use, like for example, social engineering and phishing.
What methods do they use? This is how social engineering and phishing works
An exercise of persuasion. This is how you could define what people do when performing social engineering.
Through a set of psychological techniques and social skills, the social engineer aims to gain sensitive information.
An example of social engineering could be receiving the mail of someone who supposedly is your manager. In the mail, he asks you to send certain confidential information that you have or, depending on your responsibility, to make a bank transfer to an account number that provides you with the excuse that it is necessary to make that payment as soon as possible.
It seems that the CEO Scam is quite obvious, but the reality is that it has achieved a high level of sophistication, so it is a fairly common attack among companies.
Also, this example can be even more terrifying if possible. On the one hand, it is making you think that the mail comes from a manager (social engineering); on the other hand, it could not only ask you to make a money transfer, but also download a malicious file that can compromise your company’s infrastructure (phishing).
Like this case, cybercriminals create every day new ways to carry out attacks using social engineering and phishing. In this scenario, learning to recognize a cyberthreat becomes a need for all the people who work with electronic devices connected to the Internet.
What happens when the threats come from within the company?
“The truth is out there”. Do you remember? That’s what they said in the X-Files series, letting us know that we had to look for the dangers outside, but how wrong they were.
When it comes to cybersecurity, the people who make an attack possible do not have to wear a hooded sweatshirt or be in front of their computer at dawn. They can wear a suit and tie or have an office schedule. They may be the people you spend more time with than your family. It is possible that they are your work mates.
According to a study that IBM published in 2015, 60% of attacks came from within an organization. From that number, 44.5% of the attacks were perpetrated by evil, while 15.5% of those attacks originated by accident, which means by a worker who has allowed access to the company’s infrastructure without wanting to.
If the bad news is that you do not just have to defend yourself from what is out there, the good news is that there is a small percentage of those attacks that occur by accident. These situations that can be avoided by complying with the basics in cybersecurity.
What are the basics of cybersecurity for a company?
Information is power, but more powerful is the one who knows what to do with information.
The really important thing is to know what to do with that information, acquire the necessary knowledge to protect yourself, and ultimately, it is important to have security training.
1. Personalized security training according to the activity of the company
We often think that we need a good antivirus to protect our equipment. The truth is that having these types of tools installed is fine, but they are useless when we allow (by mistake) all kinds of malware to access our systems.
If there is a reason why cybercrime has become the most profitable criminal activity in the world, it is because the majority of users are still not aware of how to identify and proceed when there is a potential cyberthreat.
The objective of computer security training is precisely that.
We distrust when a stranger tries to call our attention in the street. With the security training, you take the same attitude when browsing the Internet, despite not being able to see the face of your interlocutor.
On the other hand, security training for a company should have some characteristics:
Personalized security training according to the activity of the organization: because it is not the same to train bank workers as those who manage a computer in a textile store.
Different security training depending on the department: because the financial department will be more susceptible to receiving potential threats than the people who are in customer service. Also, keep in mind that hackers can design attacks for positions with more responsibility because they have more privileges and critical information of the company.
2. Ask yourself, how often do you back up?
The first thing we think when the disaster takes place are the backup copies. They are always ready to be used if those copies are made…
Maybe this is one of the most repeated computer security tips, but we are going to say it once again.
Backup copies must be done.
They have to be performed periodically and, if possible, save several copies of the same backup copy: one in local (offline) and another one can be uploaded to the cloud.
Nowadays we have countless tools for all types of media with which we can schedule backup copies every so often. In this way we take away the fact of being aware of doing them and we can go to sleep peacefully, since if we are the victim of a type of attack that erases or encrypts our data, then at least we can recover them.
3. Specific policy for sensitive data of the company and customers
Does the acronym GDPR sound familiar to you?
They respond to the General Data Protection Regulation, a regulation that came out in May 2016 to be applicable in May 2018. This time frame was granted so that all organizations operating in Europe will implement the necessary policies and procedures.
This regulation will give consumers more control over their information, as it implies a lot of changes for organizations that handle user data and we have talked about it at length here and here. For the privacy of the users it is good news, because the companies (only those that operate in Europe) should take care of the information they store about us.
4. Protocol of action: what to do if you suspect that you have been hit by a cyber attack?
Do you know who to call if your company is being attacked by a cyber attack?
You may think that it is not your responsibility to know that, because most organizations have a technical department that deals with it.
But not all cyberattacks are like the famous Wannacry ransomware, which infected thousand of devices around the world. There are attacks that go unnoticed and it takes months to know that there has been information theft.
For example, you download (unintentionally) a file from an email that seemed trustworthy. You execute it and, despite nothing happened at this time, you suspect that something went wrong…
For these cases and many more, there should be an action protocol: like contacting a cybersecurity company or an IT security expert, if there is no one within the organization.
But how much does it cost?
In the business world, costs are everything.
One of the first issues that arise when improving the safety of companies is if it is an expensive service.
Well, the answer speaks for itself:
A single cyberattack is enough for a company to have to cease its activity.
On the one hand, there are the recovery costs: recover lost information, quantify how much data has been leaked, reestablish infected equipment… costs vary according to the type of attack that has been suffered.
On the other hand, here is what is probably the highest cost: the image cost. This means that it is not a good look for a company to have customer information stolen from its customers. And ultimately, the consequences of a cyberattack can affect the sales of the organization.
And finally, with regard to cyberattacks against companies, we must bear in mind that cybercriminals have stopped targeting large corporations. The reality is that medium and small companies are affected every time. And campaigns like the ransomware are designed to go against organizations of all sizes to ask for a rescue according to the size of the company.