You might be a business owner, manager, freelancer or an hourly worker. But no matter what, you need cybersecurity.
These days, operating systems, browsers and many software applications have some kind of cybersecurity built in, but that doesn’t mean you don’t have to worry about it — especially when large-scale cyber attacks in the past year have exposed US security gaps.
You can reduce the chances of becoming a victim of cyber crime (and there is no way to ensure you won’t; it’s likely that you’ve been impacted by some kind of cyber crime or data breach multiple times already) by avoiding common mistakes. A 2020 Cybint report found that 95% of cyber security breaches are due to human error which is then exploited by hackers.
That should be enough to make anyone take a good look at how they’re protecting themselves and their business.
For Technical.ly’s Cybersecurity Month, we’re diving into our archives to find relevant advice on the topic you may have missed or forgotten. Here are six major cybersecurity mistakes that have been highlighted in our past reporting:
1. Not overhauling your cybersecurity in the last year or two, especially if you’ve shifted to a work-from-home or hybrid model
“When you’re not in the office you don’t have that hallway conversation, so companies need to be proactive about raising employee awareness of cyber attacks, and also best practices,” said Harish Siripurapu, a Baltimore information security consultant who was partnering with tech advisor firm Think Systems to expand its cybersecurity portfolio when he was interviewed by Technical.ly in August 2020. “There’s a huge opportunity for companies to train up the employees on what the telecommuting risks are.”
2. Underestimating the threat of cyberattacks and your own vulnerability
In January, Pittsburgh-based Hornetsecurity published the latest edition of its Cyber Threat Report, which found cybercrime, including ransomware attacks, are rapidly rising.
“We think raising the awareness of cyber threats is really important for us, not just from a marketing perspective, but also because it is one of the biggest risks companies face nowadays,” Hornetsecurity CTO Yvonne Bernard told Technical.ly. “But many companies are still not aware until it’s too late.”
3. Being less than extra careful when hiring remotely
Hiring remote workers may seem less labor intensive than in-person hiring, but, in fact, you need to be twice as vigilant. In February, tech recruiting firm MTC Search Group’s Mark Constan in Greater Philadelphia discussed the rise in virtual interview scams, where an interviewee was being fed answers to technical questions by someone off-camera.
“Companies need to be careful because employees can access IP, and possible personal data, too, of customers,” Constan said. “Working in tech, I’ve had to complete training and compliance around handling of data and personal identifiable information, but I have had months to complete the assessments. So is this scam just to place contractors and hope no one notices? Or does it go further to access stuff?”
It isn’t just potential workers gaming the system (or worse), there are also fake remote work job listings that steal personal information.
The best way to avoid such scams, Constant said, is to use reputable job placement firms when hiring or seeking work.
4. Clicking a link that looks urgent without thinking
The COVID-19 pandemic brought with it a flood of phishing scams that took advantage of the public’s heightened anxiety by claiming, for example, that they may have been exposed to the virus or offering fake vaccine information.
“There’s been a huge increase in COVID-19 phishing emails in the past couple of weeks,” said Connor Swalm, cofounder of Anchor Security, a Newark, Delaware cybersecurity firm, back in March 2020. “They can be much more effective than other phishing scams, and the people most susceptible are at risk of losing their businesses if they get scammed.”
Phishing emails falsely claiming a vaccine has been approved may be in the past, but be careful of unsolicited links claiming to be about a new strain of the virus or other world events that may evoke an emotional response.
5. Not involving employees in cybersecurity efforts
The best defense against phishing and other common cybercrimes is a well-educated team. In a guest post last August, Lior Kohavi, chief strategy officer and EVP of Advanced Solutions at McLean, Virginia-based Cyren, talked about some of the risks businesses face, and stressed that security awareness training along isn’t enough.
“It’s common to find training is provided in an infrequent, ad-hoc manner, which makes it unlikely the knowledge will sink in and influence daily habits,” Kohavi wrote.
A better solution, he wrote, was a “crowd sourcing” approach where every employee has the tools to actively fight cybercrime all of the time.
“With the right tools, workers can become an active and effective part of the company’s defenses against email threats,” he said. “This means ensuring that all individuals have the capability to scan their own inboxes for threats whenever they need to. Rather than wasting time squinting at a potentially suspicious message while thinking back on some half-remembered training, they can quickly verify their concerns with the click of a button. Emails that contain traits consistent with a malicious message can be immediately forwarded to the IT security team for full investigation.”
6. Blaming yourself if an ad gets a lot of hits and few conversions
It’s normal that a number of clicks won’t convert, of course, but if you’re seeing a huge number of clicks with few conversions, there is a good chance you’re a victim of cyber advertising fraud, and those clicks are bots. According to a 2019 Juniper Research study, advertising fraud is a $42 billion industry and growing.
“Many people are what we call ‘unaware Adams,’” said Adam Kaminski, then a digital marketing specialist for Middletown-based cybersecurity firm Anura, in September 2020, referring to business owners who don’t recognize what’s happening as their ROI diminishes.
“One tactic is domain spoofing,” said Kaminski. “Basically someone sets up an IP address, sets up four other machines in the same room, but the machines are registered in Europe, South America, Canada, so we really can’t trace it all the way back to an individual. But we can recognize that these IP addresses need to be monitored.”