Cybersecurity is as important as—if not more important than—the physical security you put in place to secure your most valuable possessions. An organization without adequate cybersecurity is akin to a high-end home in the middle of a crime-ridden neighborhood without locks on the doors or windows.
Companies that fall victim to a cyberattack, however, often suffer more than the loss of valuable assets. They face reputational damage, operational downtime, the theft of sensitive customer data, and millions of dollars lost due to inoperable systems. The good news is that many cybercriminals follow predictable patterns when it comes to the kinds of attacks they launch.
Government agencies and cybersecurity entities have already had success using criminals’ habits against them. Your company can similarly combat many cyberattack vectors by taking a few key steps and shifting your focus.
Here are a few common cybersecurity mistakes to stay away from to safeguard your organization.
#1. Failing to Update Your Systems
One of the most common mistakes companies make is to think of cybersecurity as “set it and forget it” measures they can put in place one time and then focus on other endeavors. The truth is you need to constantly update the elements that make up your cybersecurity defenses:
- Operating systems
- Antivirus and antimalware software
- Hardware, such as firewalls
- Software security systems, such as cloud-based security information and event management (SIEM) tools, email protection solutions, software firewalls, and others
By ensuring these and any other cyber protections are updated, you take advantage of the patches manufacturers release to address vulnerabilities.
#2. Underestimating Cyberattacks
An IBM study found that a data breach in 2021 cost $4.24 million on average. However, costs can easily soar, such as in the case of the NotPetya attack, which cost $10 billion; MafiaBoy, $1.2 billion; and even the first internet worm, which might have cost companies and people as much as $100 million in damages. Organizations also had to pay millions of dollars in cyberattack settlements.
Ransomware attacks, which involve a cybercriminal taking control of a system and holding it hostage until the target victim pays a ransom, have been particularly potent attack vectors. For example:
#3. Not Training Employees on Cybersecurity
Because cybercriminals often use employees to gain access to a company’s system, leaving them untrained opens the door wide for these opportunistic predators. To ensure employees know what to look for, what to do, and stay on the alert:
- Communicate the possible impacts of a breach
- Teach them about the different kinds of threats on the landscape
- Make your cybersecurity messaging easy to understand
- Include cybersecurity training as part of your onboarding process, reiterating key messaging throughout the employee lifecycle
To help you get started, these security companies provide a range of training programs for various types of users:
#4. No Effective Testing Process
Testing your cybersecurity system is critical. Service providers and manufacturers can claim their solutions will adequately protect your system, but testing is the only way to verify whether you have the safeguards you need. It can be tempting to think, “Well, we haven’t been attacked yet, so we must be doing something right.” While this may be true—at least in part—it could also mean that you just haven’t been hit by the attack that your system can’t handle.
It’s similar to a home security system. A house with a well-protected front door may not get broken into for years, but that may be because the house owners have yet to meet a thief who knows how to access a second-floor window. When the home faces this kind of attack, its other defenses will be meaningless.
The same thing can happen with your organization's cybersecurity defense system, and this underscores the value of testing. For example, if your antimalware is top-notch, fully updated, and feature-rich, you can successfully rebut malware attacks for years. But that may not protect you against a whale phishing attack that tricks an executive into providing their login credentials. On the other hand, if you regularly test all facets of your cyber defenses, including how employees and executives react to attacks, you stand a better chance of revealing a weakness—and fixing it.
To ensure your defenses are adequate, you can:
- Hire a penetration tester to assess your cyber defense technology
- Hire a white hat hacker to attempt to bypass both your cybersecurity tech and employees
- Use a cybersecurity testing tool
#5. Not Focusing on Email Security
Email security should be paramount in your cyber defense strategy because email is one of the most common attack vectors. This is because employees generally use email for work, and many companies have their own email systems that they give employees access to.
Email is commonly used to launch:
- Phishing attacks
- Get malware onto users' systems
- Deliver ransomware
- Execute business email compromise (BEC) attacks, which are a kind of phishing designed to trick someone into sending money
Focusing on email security allows you to cover several cybersecurity bases at the same time. For instance, if employees know the kinds of links not to click, you strengthen your defenses against all of the above attack vectors. Further, if they understand what to look for if an email brings them to a site asking for login information, you protect both your organization’s access credentials and your employees’ personal and financial accounts.
How Weak Email Security Resulted in Millions of Dollars Lost to Evil Corp
Despite the range of high-tech, intricate, and complicated attack methods hackers use, one of their favorite go-to vectors is email phishing. Several organizations learned this the hard way, thanks to a series of attacks levied by hacker coalition Evil Corp. The U.S. government and Britain’s National Crime Agency (NCA) and National Cyber Security Centre (NCSC) joined forces to track down eight members of the group and sentence them to a total of more than 40 years in prison.
Here’s how the hackers stole around $100 million and how they were eventually apprehended.
- Online forums for organizing criminal activity: Cybercriminals led by Maksim Viktorovich Yakubets, nicknamed “aqua,” used an online criminal forum called DirectConnection to get together and organize attacks and the infrastructure needed to cash in. Yakubets set up a subforum within DirectConnection specifically for banking fraud. Here, Evil Corp members could meet to discuss their strategies.
- Phishing attacks to obtain banking credentials: Attackers then sent phishing emails to people who worked for organizations, requesting login credentials for either bank accounts or payroll accounts. Once these were obtained, the hacker immediately sent the information to the others in their criminal network using DirectConnection. The information was then used to hack into an organization’s account, gaining access to their payment system.
- Money mules for funneling the money to cybercrime bosses: Mules, who had been well-tested and vetted beforehand, were then sent a message saying a “client” was to send them money. They were directed to take their portion of the cash and then send the rest back to Evil Corp’s bosses.
How the Authorities Brought Down Evil Corp
While the DOJ and the FBI declined to provide specifics, they did reveal some information regarding how they managed to catch the eight members of Evil Corp—through their own money mules.
Each money mule had to submit their bank account information to Evil Corp during the recruitment process. Law enforcement then found the mules and used them to track down Evil Corp members. The mules, while less skilled and experienced than the hackers giving them orders, were an essential element of the scheme. They received and forwarded stolen money, so government officials got to the big bosses through them.
Even though Evil Corp has finally been brought down, its success is a sobering reminder of the importance of cybersecurity vigilance.
Proactively Defend Your Cyber Ecosystem
By updating your cybersecurity tools, recognizing the damage a cyberattack can inflict, training employees, testing your defenses, and focusing on email security, you are in a much better position to defend your organization’s cyber ecosystem.
The cost of a single breach justifies virtually any expenditure required to fortify your security defenses, but in many cases, you can bolster security relatively inexpensively. The key is avoiding a "set it and forget it" approach and constantly revisiting your solutions to test for any sign of weakness.
Online Threat Alerts Security Tips
Pay the safest way
Credit cards are the safest way to pay for online purchases because you can dispute the charges if you never get the goods or services or if the offer was misrepresented. Federal law limits your liability to $50 if someone makes unauthorized charges to your account, and most credit card issuers will remove them completely if you report the problem promptly.
Guard your personal information
In any transaction you conduct, make sure to check with your state or local consumer protection agency and the Better Business Bureau (BBB) to see if the seller, charity, company, or organization is credible. Be especially wary if the entity is unfamiliar to you. Always call the number found on a website’s contact information to make sure the number legitimately belongs to the entity you are dealing with.
Be careful of the information you share
Never give out your codes, passwords or personal information, unless you are sure of who you're dealing with
Know who you’re dealing with
Crooks pretending to be from companies you do business with may call or send an email, claiming they need to verify your personal information. Don’t provide your credit card or bank account number unless you are actually paying for something and know who you are sending payment to. Your social security number should not be necessary unless you are applying for credit. Be especially suspicious if someone claiming to be from a company with whom you have an account asks for information that the business already has.
Check your accounts
Regularly check your account transactions and report any suspicious or unauthorised transactions.
Don’t believe promises of easy money
If someone claims that you can earn money with little or no work, get a loan or credit card even if you have bad credit, or make money on an investment with little or no risk, it’s probably a scam. Oftentimes, offers that seem too good to be true, actually are too good to be true.
Do not open email from people you don’t know
If you are unsure whether an email you received is legitimate, try contacting the sender directly via other means. Do not click on any links in an email unless you are sure it is safe.
Think before you click
If an email or text message looks suspicious, don’t open any attachments or click on the links.
Verify urgent requests or unsolicited emails, messages or phone calls before you respond
If you receive a message or a phone call asking for immediate action and don't know the sender, it could be a phishing message.
Be careful with links and new website addresses
Malicious website addresses may appear almost identical to legitimate sites. Scammers often use a slight variation in spelling or logo to lure you. Malicious links can also come from friends whose email has unknowingly been compromised, so be careful.
Secure your personal information
Before providing any personal information, such as your date of birth, Social Security number, account numbers, and passwords, be sure the website is secure.
Stay informed on the latest cyber threats
Keep yourself up to date on current scams by visiting this website daily.
Use Strong Passwords
Strong passwords are critical to online security.
Keep your software up to date and maintain preventative software programs
Keep all of your software applications up to date on your computers and mobile devices. Install software that provides antivirus, firewall, and email filter services.
Update the operating systems on your electronic devices
Make sure your operating systems (OSs) and applications are up to date on all of your electronic devices. Older and unpatched versions of OSs and software are the target of many hacks. Read the CISA security tip on Understanding Patches and Software Updates for more information.
What if You Got Scammed?
Stop Contact With The Scammer
Hang up the phone. Do not reply to emails, messages, or letters that the scammer sends. Do not make any more payments to the scammer. Beware of additional scammers who may contact you claiming they can help you get your lost money back.
Secure Your Finances
- Report potentially compromised bank account, credit or debit card information to your financial institution(s) immediately. They may be able to cancel or reverse fraudulent transactions.
- Notify the three major credit bureaus. They can add a fraud alert to warn potential credit grantors that you may be a victim of identity theft. You may also want to consider placing a free security freeze on your credit report. Doing so prevents lenders and others from accessing your credit report entirely, which will prevent them from extending credit:
- Equifax
- Experian
- TransUnion
Check Your Computer
If your computer was accessed or otherwise affected by a scam, check to make sure that your anti-virus is up-to-date and running and that your system is free of malware and keylogging software. You may also need to seek the help of a computer repair company. Consider utilizing the Better Business Bureau’s website to find a reputable company.
Change Your Account Passwords
Update your bank, credit card, social media, and email account passwords to try to limit further unauthorized access. Make sure to choose strong passwords when changing account passwords.
Report The Scam
Reporting helps protect others. While agencies can’t always track down perpetrators of crimes against scammers, they can utilize the information gathered to record patterns of abuse which may lead to action being taken against a company or industry.
Report your issue to the following agencies based on the nature of the scam:
- Local Law Enforcement: Consumers are encouraged to report scams to their local police department or sheriff’s office, especially if you lost money or property or had your identity compromised.
- Federal Trade Commission: Contact the Federal Trade Commission (FTC) at 1-877-FTC-HELP (1-877-382-4357) or use the Online Complaint Assistant to report various types of fraud, including counterfeit checks, lottery or sweepstakes scams, and more.
- Identitytheft.gov: If someone is using your personal information, like your Social Security, credit card, or bank account number, to open new accounts, make purchases, or get a tax refund, report it at www.identitytheft.gov. This federal government site will also help you create your Identity Theft Report and a personal recovery plan based on your situation. Questions can be directed to 877-ID THEFT.
How To Recognize a Phishing Scam
Scammers use email or text messages to try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could get access to your email, bank, or other accounts. Or they could sell your information to other scammers. Scammers launch thousands of phishing attacks like these every day — and they’re often successful.
Scammers often update their tactics to keep up with the latest news or trends, but here are some common tactics used in phishing emails or text messages:
Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. You might get an unexpected email or text message that looks like it’s from a company you know or trust, like a bank or a credit card or utility company. Or maybe it’s from an online payment website or app. The message could be from a scammer, who might
- say they’ve noticed some suspicious activity or log-in attempts — they haven’t
- claim there’s a problem with your account or your payment information — there isn’t
- say you need to confirm some personal or financial information — you don’t
- include an invoice you don’t recognize — it’s fake
- want you to click on a link to make a payment — but the link has malware
- say you’re eligible to register for a government refund — it’s a scam
- offer a coupon for free stuff — it’s not real
About Online Threat Alerts (OTA)
Online Threat Alerts or OTA is an anti-cybercrime community that started in 2012. OTA alerts the public to cyber crimes and other web threats.
By alerting the public, we have prevented a lot of online users from getting scammed or becoming victims of cybercrimes.
With the ever-increasing number of people going online, it important to have a community like OTA that continuously alerts or protects those same people from cyber-criminals, scammers and hackers, who are every day finding new ways of carrying out their malicious activities.
Online users can help by reporting suspicious or malicious messages or websites to OTA. And, if they want to determine if a message or website is a threat or scam, they can use OTA's search engine to search for the website or parts of the message for information.
Help maintain Online Threat Alerts (OTA).