By Tony Zafiropoulos
Why does it seem that ransomware attacks are getting worse? And who is attacking us anyway? In my book Too Late You’re Hacked: Defending Your Small Business’ Computers and Networks, I review this issue. Here is an overall synopsis: “Nation-state funded groups, and criminal enterprises are the attackers now.” The nation-states we need to be concerned about: China, Russia, Iran, and Norks (North Korea).
Norks are just like a criminal enterprise, but more organized with a larger war chest. The only way the Norks make money is to steal it from us, which is due to the constrictions we place on them with trading. Criminals no longer have to be good at every aspect of an attack; these days, one can outsource the various pieces to make a cyberattack successful.
Ever since 2014, when the malware attacks made the criminals over $300 million, it has become exponentially worse. Seven years later, the criminals have built an empire out of cybersecurity attacks where there are now experts in aspects of attacking, making it more profitable to cyberattack then run drugs. A criminal no longer needs several whiz kids; now, they only need a kind of criminal project manager where they buy the attack pieces they need.
Since the attackers are making more money with every successful attack, the attacks will always increase. If you are a cyberattacker and want more money (we all do, right?), what do you do? You make more attacks, especially if they have been successful. The ‘bad’ guys are getting better, faster, and more sophisticated – are you? Let’s briefly discuss what we can do to prevent successful attacks.
The Five Critical Aspects of Cybersecurity
The trouble is that it is not a one-time solution where a single product can fix the problem. This is why it is not easy and does not get done, unless management has the will and the tech staff is able. It is not possible to buy a device and then say, “We are now cybersecure!”
Cybersecurity is difficult and must be addressed in a systematic manner:
- Patch management
- Anti-virus management
- Firewall management
- Backup management
- Social engineering and Security policy
Any one of these five areas have a lot of room for mistakes and errors in management, execution or otherwise.
Of course, the first item on the agenda should be the will to make it work, and here is where many people get tripped up (about 30% of the population). The Psychology of Security is harming us, which is a topic I discuss in my book.
The Psychology of Security
Since humans like to copy what others are doing, it is an innate feeling that makes one less likely to do something, unless you see others doing it. Were you one of the first people with a cellphone? Or did you wait until most others had it?
You see, there is also a unique psychology in the security field because, in security, most people do not like to talk about their situation. So it becomes a guessing game as to what your neighbor is actually doing. It is a kind of catch-22 until it is too late, in which case, everyone is looking at you and asking, “Why was there a problem?”
Personal Cyber Maintenance
Establishing cyber defenses is not easy and will only be a risk management exercise since there will not be a guarantee of no hacking. But I believe one can defend devices with a relative low amount of effort and resources to make one’s systems more difficult to crack, which is, ultimately, the point.
If you can manage your patches (the updating of your systems on a regular basis), set up anti-virus software to catch the old viruses circulating out there, set up a firewall to cover some basic attacks from the internet criminals, that is key. Backup management is also very important and has to be set up properly. You must have backups set up automatically, and those backups also must go offsite. If ransomware gets your backup, it renders it useless.
The toughest item may be the security policy and social engineering defense. This is where you set the bar, which includes setting the rules and culture of your company that states what you want to do and why.
Engaging a Systems Auditor
For a final must do, your systems must be tested by a systems auditor. This is what I do in the cybersecurity field. What I did was write a book that includes a basic security policy to give you a quick leg up. All you need to do is to use the PCI (Payment Card Industry) compliance 12 points and get going from there.
All it takes is $20 and your will to make cyber defense just enough of a priority to reduce the chances of an attack to manageable levels. Check out Too Late You’re Hacked, Defending Small Business’ computers and Networks for a more detailed explanation on this complex subject and more. While cybersecurity is dynamic and ever-changing, these basic cyber defense measures will help you establish basic cybersecurity that helps you avoid a crisis that could take down your entire organization in a matter of seconds.
Tony Zafiropoulos is a CISA Certified Information Systems Auditor at FixVirus. To learn more, visit fixvirus.com.