Awareness about cybercrime within organizations is still somewhat recent. Today, it is one of the fastest growing forms of crime worldwide. Cybercrime has become more professional, especially with increasingly structured organizations that generate very significant revenues of up to: $1.5 trillion per year.
Cybercriminals have developed a high level of expertise in the computer technologies we use everyday and know everything there is to know about their flaws. Their approach is obviously based on leveraging these flaws but above all, they resort to social engineering techniques to coax users into sharing confidential information.
They then gradually work themselves into the IT system and compromise the security of the entire organization. On average, SMBs and mid-market companies that are victims of cyber crimes have their operations stalled from 1 week to a whole month, their sensitive data exposed and suffer a financial loss of €200,000.
Companies have an obligation to protect their own data either by contract or because they are legally bound to do so. Data protection is a business imperative for both users and organizations and should be at the heart of a company’s strategy.
When hackers break into a company’s system, the consequences for that organization are often dramatic because the cyber criminals destroy, corrupt or steal personal or sensitive data (list of customers, pricelists, trade secrets) to either leverage that information or sell it on the Dark Web.
Their second source of revenue is cyber extortion which consists in conducting ransomware attacks on companies; they get hold of or threaten to destroy a company’s sensitive data including their data backups leaving these companies completely at the mercy of the hackers.
Beyond the damage caused and the ransoms sometimes paid out, cyber crime shows just how vulnerable and exposed these companies are and can also ruin their reputation.
Main operating methods of cybercriminals
- Phishing: tactics include deceptive emails, websites, and text messages to steal information.
- Spear Phishing: email is used to carry out targeted attacks against individuals or businesses.
- Baiting: an online and physical social engineering attack that promises the victim a reward.
- Malware: victims are tricked into believing that malware is installed on their computer and that if they pay, the malware will be removed.
- Pretexting: uses false identity to trick victims into giving up information.
- Quid Pro Quo: relies on an exchange of information or service to convince the victim to act.
- Tailgating: relies on human trust to give the criminal physical access to a secure building or area.
- Vishing: urgent voice mails convince victims they need to act quickly to protect themselves from arrest or other risk.
- Water-Holing: an advanced social engineering attack that infects both a website and its visitors with malware.
How to protect against cyber crimes?
Cyber Security strategies usually stem from an Information Systems Security Policy (ISSP), which is the equivalent of a “Master Plan” in terms of IT security. It is, in principle, implemented by the Information Systems Security Manager (ISSM) who defines the goals aimed for as well as the different means and techniques that will be used. Here are some examples:
- Antimalware & MDM (Mobile Device Management): This first level of protection is essential. Antimalware or MDM solutions such as Windows Defender, Trend or Microsoft Intunes secure and control corporate or personal terminals and thus allow the effective application of a global security policy of the “Conditional Access” type, possibly based on MFA (MultiFactor Authentication) and other criteria such as connection times and locations for example.
- Least privilege and Separation of duties: The administrator accounts manage all of the company’s strategic IT assets: on premise or Cloud, hardware or software. As a result, these accounts, which oversee the corporate directory, must comply with certain best practices such as complex and renewed passwords, multi-factor authentication, segregation of duties and the principle of least privilege.
- Cyber awareness program: To help build a culture of security in the workplace and foster a sustainable change in behavior on these issues. An internal security awareness campaign must be run to get all the company employees onboard. It is the sine qua non for significantly reducing user-generated risk.
- IT Charter: An IT charter also ties into the ISSP. It outlines the rights and obligations of users with regard to the Information System.
Cybercrime poses a real threat to businesses today. Businesses are stepping up the fight against cyber crime.
Hackers, unfortunately, like dopers in sports, are often one step ahead of the game. Nevertheless, we know more about the way they operate today. We can do much more to reduce the risks by staying organized and using the appropriate technologies to combat cyber crime.
With an efficient cybersecurity policy, companies can fend off cyber attackers and not fall prey to their scams and online fraud.
by Cyrille Duvivier, Customer Care Strategic Director at Prodware.
Article initially published in InformatiqueNews