Cybercrime went big in 2017: There was Yahoo’s 3 billion record loss, Equifax’s 143 million record breach, and Uber’s disclosure that they lost 57 million records in November. The news of these security breaches is horrible if you’re someone who uses email, consumer credit, and ride-sharing apps—that pretty much covers everyone reading this, right?
But what about the scary incidents that flew under the radar? Most of the 1,579 breaches reported to the Identity Theft Resource Center and the 1,935 confirmed incidents analyzed in the Verizon Data Breach Investigations Report (DBIR) didn’t get any media attention—and yet, they caused a lot of damage in their own right.
While most of the stolen laptops, phishing emails, and hacked ATMs in 2017 didn’t impact millions of people all at once, they still happened. In fact, those “boring” incidents that happen every day are the ones you should really pay attention to.
Roll with the password aftershocks
An unknown group of hackers reportedly got inside Neiman Marcus’ mobile app environment using a list of username and password pairs they’d purchased from another breach. When your employees don’t change their passwords, it’s way too easy for hackers to brute-force access into your network. The same type of incident—unauthorized login using credentials from somewhere else—was reported at MFT Stamps, Kimberly-Clark, AT&T, and other companies. It’s not unlikely that a company lost your password at some point in time, and now, it might be published online.
Remember that xkcd web comic about password entropy, or how all it would take to rule the world is gaining access to the one password everyone recycles over and over again? It’s spooky-accurate.
Image courtesy of xkcd.
According to Verizon, 81 percent of hacking-related incidents in the last year involved weak or stolen passwords. Experian also reported on a growing trend of credential reuse they call password aftershocks, where the credentials stolen in one breach can be resold and recycled by cybercriminals. If someone’s logging into your network and you don’t know why, maybe they got ahold of the “BlueEyedG1rl” password an employee formulated in 2005 for AOL and has since recycled.
Security solutions need to accommodate the fact people tend to recycle passwords. Better policy-based administration is a start, but it’s probably time you looked at non-password authentication methods, like tokens, SMS alerts, or biometrics.
Beware: Things are still phishy
Sunbelt Rentals got hooked by a spear phishing campaign last year that started with an email spoofed to look like it was sent by the company’s IT VP. The same method is used on hundreds of other victims, including hospitals, financial firms, energy companies, universities, and more. On top of that, when a phishing attack lands a victim, hackers make sure malware is quickly installed afterward 95 percent of the time, per the DBIR.
Security solutions may be less common than you think. Many companies don’t even conduct training on phishing or social engineering, even though spam is now 57 percent of global email volume and the use of sophisticated tactics for spoofing emails and wrapping URLs in text links is on the rise. At the end of the day, there’s no simple solution to an endpoint that’s as unpredictable as human behavior. Awareness and simulation is a start, but so is smart security hygiene and investing in endpoints engineered for security.
Dodge both old-fashioned hacks and new DDoS attacks
There are hundreds of hacking-related security breaches in the United States under active investigation at health care providers—and that’s just in one heavily targeted industry. The majority of attacks are often financially motivated and less often an attempt to recruit your router for a DDoS attack on someone else. Large companies bear the brunt of DDoS attack impact, but even if your company isn’t big, you still don’t want to fight a botnet army. DDoS mitigation services are important when you’re under siege.
Most of the companies that get hacked are—according to a recent IDC report on endpoint security—guilty of poor security hygiene. It’s a gross-sounding term that includes things everyone is guilty of slacking on, like failing to patch that one utility server or having a VoIP phone with the password “root.” Companies often have something egregiously easy to hack on their network, like a device with an embedded web server and no password protection that hasn’t had a security update run in a decade. Hackers aren’t hard workers—they’re opportunistic.
You’ve got too many endpoints to manage reasonably already, so there’s no reason to make bare-minimum security hygiene any harder than it needs to be. Investing in smarter endpoints, like printers with built-in security features, can make your company way less appetizing to hackers.
Batten down for security breaches
In the wake of near endless attacks small and large in 2017, we’re all wondering what’s next. Will the months to come yield true state-level cyberwarfare? An even sturdier wiper virus? A corporate breach to rule them all, exceeding the historical record of 3 billion records lost? While no one knows what’s next, the threats you need to fear are the ones that didn’t hit the news, which involve a lot of boring phishing attacks, hacking, and bad passwords.
The security solutions that hit hackers where it hurts aren’t necessarily cutting-edge; they are, however, primed for the most commonplace modes of attack. Start tightening up your IT network security now, and you’ll thank yourself down the line.