By Prof. Shankar Banik, with Kim Keelor Parker
Whisper a name like Alexa, Cortana, or Siri and gadgets start chattering. Even refrigerators and cars talk now. From smart TVs, conference touch-tables, kitchen countertops, school desks, and watches, to regional utilities and life-supporting power grids, connections to cyberspace are difficult to avoid.
Cyberage (an actual word now according to sources like PC Magazine) conveniences are dramatically increasing efficiencies in business settings while the economy becomes more reliant on spontaneous access to global information and communications. However, the bad actors (criminals) on the other side of cyberspace are multiplying and increasing their efficiencies too.
These criminals and terrorists are often part of a sophisticated network working to identify vulnerabilities within all types devices connected to the Internet. Some are driven by their ideology as they attempt to manipulate human psychology through social engineering attacks by gaining unauthorized access to systems. Other cyber thieves are motivated by financial gain and access to intellectual currency.
Large businesses are targeted for obvious reasons, but small business with fewer resources and technological barricades are often more vulnerable. Being cyber-shrewd by tracking hacking news and developments about devices vital to daily business operations can help. Knowing what kinds of attacks are trending is essential to improving the ability to spot possible breaches. Here are five common vulnerabilities to understand:
The Internet of Things
The Internet of Things (IoT) is a collection of connected devices, electronic systems and servers that work together to convey information or to communicate in some way. By 2020, an estimated 20 billion devices will be a part of the IoT. Malicious users are more connected to the IoT than small businesses, making it essential to limit the use of devices to those that are fully understood and monitored. The cyber infrastructure of every company requires proper security controls installed on all connected devices so that only authorized users can access them.
Social engineering attacks
Social engineering attacks are the most common. The bad actors gather the information needed by manipulating human psychology. For example, phishing is a social engineering attack where assailants send bogus emails claiming and appearing to be a legitimate entity. They try to trick recipients into providing personal information. Sometimes these emails demonstrate some kind of urgency steering users to follow the instructions in the emails without verifying the authenticity of the email. The best defense against social engineering attacks is to try to recognize the sender as legitimate in the email viewing pre-view pane before even clicking to open it, and avoid sending any personal information to an unverified sender.
In 2017, ransomware attacks are drawing global attention for reaching unprecedented levels of effectiveness such as in the case of The WannaCry ransomware attack on England’s national health care system. In this type of attack, a company or individual’s computer files computers are encrypted so that they cannot be accessed. Such attacks can cause expensive disruptions and can shutter an operation for days or weeks. The anonymous attackers extort the file owners via computer, demanding a ransom for the information that can decrypt the files. Authorities strongly recommend not paying these hijackers, as there is never a guarantee they will send the decryption key and can make a business vulnerable for another attack. If it happens, law enforcement authorities should be notified immediately. The best defense against ransomware is to back up all of the files regularly on a separate hard drive that can be disconnected from the computer after each back up.
Electronic applications, or apps, and downloadable software can sometimes open the door to intruders. Free downloadable business templates, format converters, and other electronic conveniences can be useful, but some are offered purely for the purpose of extracting data through an underlying mechanism that embeds itself into a computer, its files, and attached devices. This type of software or app is called malware. One way to protect a device is to update it every time a new version of an app or operating system is provided ─ new security patches are a part of those updates pushed out by trusted vendors after vulnerabilities are detected. Software and apps from established, trusted vendors are best.
Social privacy hazards
Businesses depend on the direct access to customers social media can provide. The affordability of social media marketing, and the resulting metrics are also appealing, particularly to smaller businesses. The reach to potential customers can be astronomical through some of the most popular platforms. According to Facebook, for example, there are 1.28 billion active daily users representing a combination of businesses, organizations and individuals. However, the immensity of social platform networks increases exposure to those with malicious intent. The information small businesses are sharing should be carefully curated, and links to a business owner’s personal social accounts should be avoided on those platforms as an extra security barrier. Default settings in the social media websites might not provide adequate levels of privacy.
The password is the most common authentication mechanism used in the cyberspace. Password management technologies are improving constantly, but in the end, it is the user’s responsibility to develop sophisticated, unique passwords for entry into a business’s web platforms, computer systems and other linked devices. Use a different and complex password for each entry point, and record them on paper in a secure location (so that they are not discoverable electronically). The strongest passwords contain at least 12 characters with letters, numbers, and special characters─ without spelling out any actual words. There are password management tools available for purchase from trusted vendors.
Small business owners might consider investing in an affordable, professional review of their company’s cyber infrastructure once a year, in order to prevent costly attacks in the future.
Prof. Shankar Banik, Ph.D., is the head of The Citadel’s Cybersecurity studies, a National Security Administration (NSA) designated National Center of Academic Excellence in Cyber Defense. He is also the Citadel Graduate College Director of Computer Science, and network security researcher. Banik has earned numerous grants, most recently for two undergraduate research projects, “Ensuring fairly timed network communication,” and “Aggregating and linking social media data for analyzing privacy of a user,” awarded by the SC EPSCoR/Idea Program Office.