Bulgarian
English
Approximate reading time: 6m 4s
Coronavirus, hackers and a little psychology
2020 brought companies around the world a shocking experience as they moved to remote work. According to statistics, the number of cyberattacks worldwide last year increased 1.5 times compared to 2019, with 86% of them targeting legal entities. Companies have faced cyberattacks and breaches of information security by employees, and in one third of cases such incidents have also led to financial losses.
What could be the most logical solution? The answer is: proactive, not reactive employee training for information security protection.
Cyber threat - what does employee carelessness cost?
Since the beginning of the pandemic, the number of cyberattacks against legal entities has increased by 600%, according to a report by the American information security company Purplesec. The report analyzes data for the US, but analysts point out that the rise in cyber threats is a global trend.
The reasons for the attacks have been insufficient protection of organizations' services, which have turned out to be vulnerable to intrusion by attackers, poorly protected devices, plus the unwillingness and inability of company employees to counter social engineering, which has been skillfully used by cybercriminals.
Hackers intensified attacks against companies at the beginning of 2020. First and foremost, hackers attacked government agencies, industrial enterprises, as well as companies working in the fields of science and education.
The number of attacks against industrial enterprises worldwide increased by 91% during the year. According to a study by Positive Technologies, in 2020 seven out of 10 attacks were targeted (directed, deliberate). In the opinion of the company’s experts, the top 3 potential victims are government agencies (19%), industrial companies (12%) and medical organizations (9%). Just a few years ago, the main targets of attackers were mostly banks and the withdrawal of funds from them; now they seek not only money but also information, or the goal of the attacks is to block company activity.
Experts point out that in many cases the weak link through which attackers manage to penetrate a company is its own employees. 98% of cyberattacks are in some way based on social engineering, notes an American employee from an information security protection company. She analyzed incidents with her clients in the US, but notes that they are all common in other countries. Psychological tricks are used that untrained employees cannot recognize and become victims of sophisticated tactics and approaches for extracting information and using it to penetrate companies' databases.
For example, 45% of company employees open suspicious emails „just in case it matters“!!! And 47% of employees of ID Agent’s clients cite expertly forged cybercriminal emails as the main factor that prevented them from detecting the phishing attempt.
The pandemic created a huge number of news hooks that scammers began to use for phishing attacks. For example, cybercriminals send letters to company employees stating that, in connection with the pandemic, they may receive certain tax breaks or additional payments from their company, the state, or the bank through which they receive their salaries.
What lessons can we learn from past security attacks
2020, both Western and our information security experts confidently call the year of ransomware viruses.
The encryption business works according to a proven scenario: the victim’s data is encrypted, the original files are deleted, and then a one-time sum is demanded as ransom. Most often, such a virus spreads through phishing emails opened by company employees. To restore the functionality of services, hackers offer to receive the ransom in cryptocurrency, usually in bitcoins. Data recovery without obtaining the stolen archives is impossible.
A vivid example of a ransomware attack in 2020 is the attack against Garmin, one of the largest manufacturers of GPS navigators and smartwatches in the US. On the evening of July 22, 2020, the Garmin Connect service, intended to synchronize activity data for smartwatch owners, was completely unavailable. There were outages in the company’s website, and the support service was blocked. The reason was a hacker attack on the company using WastedLocker software. The attackers demanded a ransom of 10 million dollars from the company, and the company paid to receive the access code.
Another popular ransomware in 2020, Netwalker, was distributed exclusively with the help of phishing emails to employees of potential victims. The subject of the messages is coronavirus; the attached file contains malicious software.
According to experts, Netwalker is responsible for more than 10% of this type of attack. The malicious software emails attacked logistics giants, industrial conglomerates, energy corporations, and other large organizations. According to McAfee, which studied the ransomware and tracked the hackers' bitcoin wallets, in just a few months in 2020 the criminals' revenues exceeded 25 million dollars. Even a novice hacker could use malware for extortion. The owners of Netwalker distribute the virus in a kind of franchise, giving it away for free with instructions on how to use it. In the event of a successful attack, they take about 30% of the profit for themselves, according to reports from the Kaspersky team.
Cybercriminals even created a special website where they automatically published all stolen information after the deadline set for ransom payment had expired.
In 2020, the first recorded human death due to the actions of cybercriminals and ransomware also took place. In the fall of 2020, ransomware attacked University Hospital in Düsseldorf, blocking its activities. The hospital could not accept patients and transferred them to other institutions. This cost the life of a woman in need of emergency medical care: she died on the way to another hospital. The clinic officially announced that the cause of death was ransom software that had blocked the hospital's work.
The saddest thing is that today companies are simply not ready to withstand such attacks, Purplesec notes. A 2020 study by cybersecurity specialists found that half were not sure of their ability to repel a ransomware attack. Of the organizations attacked in 2020 in the US, 75% used the most advanced information security protection, but the human factor reduced all that protection to zero.
Another striking case was the successful attack on the IT company SolarWinds, and then on its clients. The attackers hacked this software provider and injected a malicious update into Orion. By downloading the update, the attackers gained access to SolarWinds client networks. The victims are FireEye, the Treasury Department, the US National Telecommunications and Information Administration (NTIA), the US State Department, the National Institutes of Health (NIH) (part of the US Department of Health), the US Department of Homeland Security (DHS), the Department of Energy (DOE), the US National Nuclear Security Administration (NNSA), some US states, Microsoft, Cisco. Data on the affected 18,000 SolarWinds clients was cited, including those specializing in information security. Experts are unanimous that the trend of attacking a company in order to penetrate the infrastructure of its contractors, mainly through emails, will only grow. In particular, the largest American developer of virtualization software VMware stated in its report that at least half of attacks today are aimed at the company’s contractor chain.
How to protect yourself from phishing?
The situation with cyberattacks in the world has already forced the US to tighten information security requirements for legal entities. The state of Maryland, for example, will even pay companies $2,500 to raise the level of security (usually this is the purchase of software, training, etc.). Small companies do not have the means for cybersecurity, experts explain. They are confident that in the near future investing in cybersecurity will become a priority for every business. The total size of the global cybersecurity market in 2020 was 167 billion dollars and is expected to grow by 11% annually until 2028, according to Grand View Research.
Today more and more companies are ready to invest in information security. A global survey of 3,249 companies conducted by the Big Four auditing firm PwC showed that 96% of companies worldwide intend to adjust their cybersecurity strategy in connection with the pandemic. At the same time, more than half of respondents intend to increase information security budgets.
According to experts, to improve security it is extremely important not only to invest in so-called software and hardware, but also to work with personnel. To increase a company's cybersecurity, it is necessary to conduct information security training, during which it is necessary to explain how to recognize a suspicious letter, how to double-check information, and through which channels it is safe to interact with colleagues.
Company employees are more likely to become victims of scammers, and not accomplices in crimes. Of course, such employees must be additionally motivated to comply with basic information security rules. It is important to realize that any information leak is a reason for the company to consider whether all employees understand how to act in a given security breach situation.
Usually, company employees simply have no idea what damage their thoughtless actions and lack of basic digital hygiene can cause. For example, according to a study by the Alfastrakhovaniya analytical center, 60% of Russians send screenshots of work correspondence to recipients. According to Kaspersky Lab, 59% of Russians use their personal email to solve work problems, 55% communicate at work via instant messaging. Naturally, a bank employee accustomed to such communication can easily open a letter from a colleague’s personal mailbox.
As a result, according to experts, the effectiveness of targeted attacks against companies using phishing and social engineering is about 80%, while in 45% of cases employees who open a dangerous letter or link do not inform their management about it for fear of losing their bonus or their job. In this regard, experts recommend not only conducting training, but also running simulations, external checks, and test attacks in order to make every employee feel like part of an information security team that protects the company from malicious attacks.
Companies can protect themselves from such damage by training their employees on the possible ways phishing emails are received, as well as the ways attacks via social engineering are carried out. We offer suitable trainings and workshops. You can contact us at +359 878 685 304 or send an inquiry using the form below. HERE you can order an Information Security course developed specifically for the systematic clarification of the basic principles for protecting the company’s information assets.