Common Cyber Threats that Persist in 2021 and How to Protect Against Them
In 2020, hackers took advantage of the pandemic-triggered workplace confusion and resulting corporate vulnerabilities that were created when employees moved en masse to teleworking on unsecured networks. According to the FBI, online complaints reported to its Internet Crime Complaint Center nearly quadrupled in the first few months of the pandemic—to as many as 4,000 a day. These included phishing emails, spam text messages and phone calls, and attacks against vulnerable VPNs.
More than halfway through 2021, the chaos has calmed as businesses and employees have settled into the remote working routine. COVID-related scams are also winding down. However, bad actors are not slowing their cyber-assaults, and organizations of all sizes continue to face threats to their critical data. Below is a list of common cyber threats and suggestions on how to protect against them. Key to dealing with any type of cyberattack is having an incident response plan in place to quickly and effectively address and manage the aftermath of a security incident.
- Social engineering: Social engineering refers to a variety of malicious activities designed to trick victims into providing confidential information, such as passwords or other credentials, or taking an action that gives the attacker financial or personal information. This can include vishing—fraudulent but authentic-sounding texts or phone calls; pretexting—building a false sense of trust to obtain personal information; and baiting—offering a reward for providing credentials or confidential information.
Protection: These attacks work because they rely on human curiosity, greed, fear, and willingness to help. Regularly scheduled security awareness training is one of the best ways to counter them. This training can teach staff how to recognize social engineering attempts and how to avoid them. It’s also important to have reporting mechanisms in place so employees can report suspected attempts.
- Phishing: Phishing is a form of social engineering where bad actors send fake emails with malicious links and/or downloadable attachments containing malware or ransomware. Sometimes these links take victims to spoof websites that encourage them to validate login credentials and other sensitive information. According to Verizon, phishing attacks account for more than 80 percent of reported incidents.
Protection: Security awareness training is the best defense against phishing attacks. All employees should receive training on what phishing emails look like, such as an email from an unexpected or unfamiliar source that demands immediate action, and what to do when they suspect they’ve received one. This includes running phishing exercises to see if employees click on links as well as other types of penetration testing that mimic ways hackers operate.
- Ransomware: Ransomware attacks often occur after an employee falls for a phishing email or other social engineering method—it only takes one—that gives hackers access to a corporate network. According to CSO Online, 94 percent of malware is delivered by email. Hackers lock up or encrypt access to an organization’s network or files in exchange for payment. And in the case of a double extortion ransomware attack, the hackers leak selected material on the dark web as they increase their financial demands.
Protection: Create regular backups of all essential information. Keep network systems up to date with the latest security patches to avoid exploitable vulnerabilities that give hackers access, or ensure compensating controls are in place to protect systems where patching is not possible. And as with all types of phishing or social engineering attacks, institute security awareness training that teaches all employees how to recognize and report these attempts.
- Cloud vulnerabilities: A growing number of businesses are adopting cloud-based technologies, taking advantage of the increased flexibility, agility and mobility, monitoring, quicker disaster recovery, and reduced costs this environment offers. However, organizations should not rely on the cloud provider for cyber security protection. No cloud service can be completely immune from security threats, such as hacked accounts, malware, loss of data, accidental changes or deletions, and abuse of privileges. According to Fintech News, cloud-based cyber attacks rose 630% between January and April 2020.
Protection: Use an encrypted cloud service from a carefully vetted cloud services provider, be mindful of what information is stored in the cloud, use strong passwords that are updated regularly, and secure end-user devices. Back up your original back up with either a local/on premises storage or a cloud-to-cloud back up. Implement permissions by only allowing employees access to what is necessary to do their job. This prevents users from accidentally causing damage, and it protects from hackers who may have acquired the employee’s login credentials.