No-one likes being rushed into a decision; it’s hard to escape the feeling that we’ll make the wrong move. That’s why the theme for this year’s EU Cybersecurity Month (ECSM) awareness campaign, ‘Think Before U Click’, feels right. Cybercriminals create a sense of urgency to make victims more likely to act hastily against their own best interests.
As football fans know (tortured analogy alert!), many teams use pressure tactics to force their opponents into making mistakes. The idea is to overwhelm the players and cause panic, so they lose the ball close to their own goal. Sounds familiar?
Put ’em under pressure
Sharing good security practices and raising awareness of the risks is a bit like coaching young footballers: when they’re confident in their ability, they learn to stay composed, resist the opponent’s pressure, and put their foot on the ball before choosing the right pass and escaping the danger.
Security is never just a technology issue, so it’s always worth focusing on the people aspect. In the spirit of empowering people and organisations to protect themselves from cyber risks, we’re going to look back at three of the main threats from the past year: ransomware, data breaches, and phishing. We’ll cover lessons to learn to prevent them from becoming risks to your business.
Ransomware crossed over into wider public consciousness in Ireland after the Health Service Executive (HSE) was targeted last May. The impact was devastating: as RTE reported, the attack caused delays to medical treatments and masses of cancelled appointments. It affected more than 2,000 systems and set back public health by weeks if not longer – a bad situation at the best of times but especially fraught in the teeth of a pandemic.
It started with a link
It all began with a single , The Journal reported. Unconfirmed reports suggest it may have been a spreadsheet attached to an email, although the root cause has not been publicly disclosed. The HSE was one of many victims worldwide, as ransomware ripped through businesses and public service agencies. Others included the Washington DC police, fuel provider Colonial Pipeline, and JBS, the world’s largest meat supplier.
Few businesses are as big as those mentioned here, but it’s not hard to imagine the consequences of a ransomware attack on any size of business. It is, however, possible to avoid the worst or minimise the impact with some important steps.
- Identify the most important data in the organisation and protect it accordingly
- Keep software patched and updated to avoid exploitation of old vulnerabilities
- Install trustworthy anti-malware (malicious software) and keep it up to date
- Back up your data regularly
- Test the backups work properly and you can get your data back in an emergency
- Have a regular security training and awareness programme for staff
Our white paper has a more in-depth look at how to prevent ransomware and respond to incidents.
Clarity begins at home
Data breaches are another significant security risk, as we’ve seen over the past year. Although social media giants like WhatsApp and TikTok are in a category of their own by virtue of their size and scale, their experiences shine a light on the kinds of data protection issues many other organisations face. One of the main challenges is transparency. The proposed €225 million GDPR fine against WhatsApp centres on allegations that the company isn’t clear enough with users about how it processes and protects their personal information.
This theme came up again with TikTok, after the popular app was the subject of a class action suit in the Netherlands. As BH Consulting data protection analyst Cliona Perrick wrote, businesses need to be transparent to users about what they do with people’s personal information. They also need to make sure they have the proper legal basis for collecting and processing that data.
It’s also worth remembering that data breaches tend to involve a human element. The 2021 Verizon Data Breach Investigations Report found that 85 per cent of breaches involved the human element. When building awareness of data breaches, a very useful source is this interactive graphic showing the scale of some of the world’s largest data breaches, dating all the way back to 2004.
Message in a bottleneck
The third area we’re focusing on is phishing, where scammers send messages made up to seem genuine but in fact are designed to trick recipients into giving away personal information like passwords, bank account logins, or credit card details. This is rampant in Ireland at the moment, with widespread reports of scam texts and emails.
More than one in three breaches tracked last year involved phishing, according to the 2021 Verizon Data Breach Investigation Report. By some estimates, phishing is up by 22 per cent compared to the first half of 2021.
Phishing takes many forms, but there are a few themes that reappear. Popular scams to watch for include: IT tech support wants to connect to fix a problem. A message from a bank claims it’s uncovered a problem with your account. The tax agency offers you a rebate. A telecoms provider says there’s suspicious activity on your account or your Wi-Fi network. A parcel delivery company texts a link for you to collect a package (this can be especially tricky to judge since many of us regularly buy online and may well be expecting a delivery).
Red flags and bad words
The language in phishing emails can be a clue that the message isn’t genuine. Here are some additional warning signs or ‘red flags’ to watch for.
- A sense of urgency – “if you don’t act quickly something bad will happen”
- Bad grammar or spelling
- Impersonal greeting – “dear customer” instead of your name
- Bills or invoices for items you didn’t buy
- Bullying or coercion – “if you don’t cooperate your manager will be very cross with you”
- Offers that are too good to be true
- from some random rich person who needs to get money out of a country (and out of all the billions of people on the planet they chose you?)
- heart-breaking emails claiming to be charitable organisations looking for donations
- offering magical medical cures for slimming or to increase your attractiveness
- get-rich-quick schemes and gambling tips
- congratulating you on a big win for a competition you never entered.
You can also watch a video BH Consulting produced which highlights those red flags or read our white paper on email security.
EU Cybersecurity Month might be for the month of October, but its messages of vigilance, due care, and common sense are valuable all year round.
Be Vigilant Be Safe Be Secure