Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

Cyberthreats You Need to Know (and What to Do About Them)

Cyberthreats You Need to Know (and What to Do About Them)

Blog Article Published: 05/24/2023

Originally published by Schellman in October 2022.

Did you know that we’ve just come to the end of National Cybersecurity Awareness Month?

When you think about it, October is a fitting choice for such a designation. After all, this is the time of year we’re all watching scary movies about vampires, zombies, and—if you’ve got classic taste—Michael Myers.

Fright of these fictional monsters is part of October’s annual charm, but when it comes to your cybersecurity, the fear of breaches is decidedly not charming. It’s not a nice feeling to know there are actual malicious actors out there, lurking like Halloween ghouls, waiting to find a weakness in your applications, networks, or employees so they can take advantage, leaving you with financial and reputational losses.

In this article, we’ll go over three of the prominent methods cybercriminals use to exploit organizations—phishing, insider threats, and ransomware—along with some basic mitigating tactics you can use against them.

As with haunted houses, the scariest things are what we don’t know is out there, but having read this article, you’ll be more on your toes and ready for the next jump scare.

3 Cyber Threats You Need to Know About in 2022

Phishing

You’re likely already familiar with the concept of phishing attacks—someone poses as a legitimate institution, often through website ads or e-mails, and dupes you into providing your personal information. Should anyone at your organization click on the wrong link at any given time, suddenly the “horror movie” has manifested itself and made you an example of the price paid for lax cybersecurity.

Common hallmarks of a phishing scam include:

  • Too Perfect: As in, the idea—a cash prize or something similar—is too good to be true.
  • “Act Fast!”: Sometimes, cyber criminals will even threaten negative consequences if you don’t provide personal details immediately, like shutting down your account.
  • Subtle Hyperlink Deception: Bad actors will get sneaky with their URLs—at a quick glance, you might read www[.]bankofarnerica.com and see nothing wrong, but if you examine it closer, you’ll see clicking it won’t direct you to your bank.

Phishing actually falls under the larger umbrella of social engineering, which encompasses more tactics that take advantage of unsuspecting people.

Insider Threats

The human element to your cybersecurity is also particularly important when it comes to dealing with insider threats. Phishing may originate externally, but insider threats come from within your organization—think employees (current and former), vendors, or other stakeholders. They use their authorized access to do harm—whether they’re being deliberately malicious or unwittingly negligent.

Examples of insider threats include:

  • Those who exfiltrate data after being fired or furloughed
  • Those who sell company data or trade secrets for profit
  • Lax third-party vendor security (which was responsible for the infamous Target breach)

The point is that you not only have to worry about those who don’t have access getting into places they shouldn’t—you also have to worry about those that do have access.

Ransomware

Finally, we come to ransomware—one of the most prevalent of cyberthreats at the minute. What was a popular buzzword has become extremely lucrative for cybercriminals. A type of malware, ransomware allows a hacker to encrypt a victim’s file system and revoke the organization’s access so that they can extract money in exchange for the data and/or restoration of access.

These criminals often use the following to get their exploitation malware onto your systems:

  • Phishing—mentioned above
  • Drive-by downloading—when a user unknowingly visits an infected website, at which point malware is downloaded and installed without their knowledge.
  • Poor patch management – Internet-facing servers or services with unpatched vulnerabilities allowing remote code execution (RCE). When this type of issue is exploited, an attacker gains a foothold on your infrastructure, they can execute ransomware, or pivot deeper within the network.
  • Don’t just outsource: evaluate applicable information from your privacy and security policies and align the security training objectives with those of your organizational mission.
  • Make sure this includes education, so your employees know how to spot phishing, pretexting, baiting, and other social engineering tactics
  • The better an organization’s security training and awareness, the higher the number of reported incidents should be among its employees, and the smaller the risk of a breach.
  • Engage a trusted third party to conduct realistic phishing simulations on a quarterly or more frequent basis

Not only do you stand to potentially suffer an irreversible loss of your data, but the ransom numbers that must be paid aren’t always small peanuts either—the highest known ransom payment to date was $40 million USD paid by CNA Financial in 2021.

Given that 2021 also showed a 100% increase in the attacks themselves, it’s long past time to start taking these threats seriously.

How to Mitigate Cyberthreats

So then, how to equip yourself with the right tools and—perhaps most importantly—informed employees in preparation to defend against these villains?

Take Internal Action

Let’s break down these two facets we mentioned and provide some basic starting points:

Tier

What You Should Do

Tools

At a baseline, do you have these in place?

  • Firewalls
  • Intrusion detection and prevention systems (IDS / IPS)
  • Antivirus (AV) and Endpoint Detection and Response (EDR) software

To take it up a notch, have you implemented these?

  • Multi-factor authentication (including FIDO2 varieties, such as YubiKeys)
  • Password management tools (such as LastPass, KeePass, etc.)
  • Consistent patching and security updates to computer software

People

Instill a clean desk policy

Mandate adequate security training and awareness activities

How to know what’s “adequate?”

  • Don’t just outsource: evaluate applicable information from your privacy and security policies and align the security training objectives with those of your organizational mission.
  • Make sure this includes education, so your employees know how to spot phishing, pretexting, baiting, and other social engineering tactics
  • The better an organization’s security training and awareness, the higher the number of reported incidents should be among its employees, and the smaller the risk of a breach.
  • Engage a trusted third party to conduct realistic phishing simulations on a quarterly or more frequent basis

Human error remains one of the biggest threats against security, but your staff can also serve as the biggest assets here as well—they just have to know what to look for while going about their work.

For more information on how to build a successful cybersecurity program across the board, read our article on the 5 cornerstones you need.

Leverage Security and Compliance Assessments Against Cyberthreats

Many organizations already have to comply with different industry standards such as NIST, PCI, ISO, and HIPAA—adhering to those best practices within the frameworks will help tighten your security. You also might consider penetration testing, of which there are different types that will simulate specific cyberattacks on your networks and applications to discover your vulnerabilities:

Next Steps for Your Cybersecurity

October may be National Cybersecurity Awareness Month, but the need for cyber defenses is year-round, especially now as attacks continue to grow more and more sophisticated. Awareness is key—for you and your staff—and now you know about three big approaches hackers use.

For more tips on personal accountability and security, the National Initiative for Cybersecurity Careers and Studies (NICCS) is a great resource that offers good details on how individuals should be cognizant of internet use from both a personal and professional standpoint.

You might also check out our other content on other cybersecurity resources and threats so you can take all the necessary steps to protect yourself:

Share this content on your favorite social network today!