We all know technology and the internet have revolutionized the way we communicate, do business, and manage data. Organizations are now increasingly dependent on computers, tablets, and smartphones to conduct their day-to-day activities. Unfortunately, this has coincided with a significant rise in those looking to exploit the technology for financial gain, or to cause damage and interruption to systems and services.
What is Cyber Risk?
Cyber risk is the potential for business disruption, financial loss, or reputational damage due to failure of an organization’s information technology (I.T.) systems.
The risk can come from state-sponsored cyberwarfare, criminal hackers (for financial gain, activism, or mischief), or an organization’s own employees—through accident or malicious intent.
Who is at risk?
Between 2013 and 2015, the Government of Canada detected more than 2,500 state-sponsored cyber activities against its own networks annually. But smaller entities in Canada are also attacked frequently. An Ontario college recently suffered a ransomware virus that knocked a number of services offline, at a critical time in the school year. And a church group forfeited over half a million dollars to thieves who stole employee credentials and made transfers from their bank accounts. In fact, since educational institutions, charities, and smaller organizations typically have fewer resources to defend themselves, they may be at even higher risk.
In many instances, online crime has now overtaken physical crimes, such as burglary or robbery, with the cost of cybercrime expected to surpass $2 trillion by 2019.
Cyber criminals are highly organized and are finding a myriad of new and sophisticated techniques to access data and information for the purpose of financial gain. This can result in money being taken from a bank account, or credit arrangements (such as loans or overdrafts) being arranged in your organization’s name for the benefit of a fraudster.
Some more common examples of the techniques used by cyber criminals include:
Malware is malicious software, designed to disrupt, damage, or gain access to a computer system. It can be introduced to your network through email attachments, website downloads, or hardware connections (such as an infected USB key). One serious form of malware is ransomware.
After ransomware takes control of your network, someone attempts to extort money by preventing you from accessing your digital files until you a pay a ransom.
Denial of Service (DoS/DDoS)
A Denial of Service attack is a flood of simultaneous requests sent to a website to view its pages, causing the server to crash.
Over 75% of legitimate websites contain vulnerabilities. Sites can be defaced, databases with customer details can be extracted, and malware can be inserted to infect future visitors, or harvest their online activity (such as recording the passwords or credit card details they enter).
Criminals will use any technical, procedural or physical vulnerabilities they can find to exploit or disrupt your systems. Some of the typical methods your organization is potentially at risk from include:
Phishing, SMiShing, Vishing, Spear Phishing & Whaling
The fraudulent practice of sending messages purporting to be from reputable organizations to have the recipient reveal passwords or financial information. The messages can be sent by email (phishing), SMS text (SMiShing) or voice mail (vishing), with business accounts targeted six times more frequently than personal ones.
When a phishing message appears to have been sent by a trusted individual, it’s sometimes referred to as “spear phishing”. Similarly, “whaling” is when a message asking for sensitive information appears to be coming from a senior executive of your organization.
Email, Website & Software Update Malware
Each time an employee downloads an email attachment, clicks on a website link, or updates their software without up-to-date antivirus software, there’s the potential for malware to be unknowingly installed on their computer and spread throughout the network.
Details found through your organization’s and employees’ internet presence (websites, LinkedIn, Facebook and other social media accounts) may be used to exploit staff naivety and goodwill and elicit the information needed to gain network access.
Weak Network Defenses & Passwords
A firewall creates a barrier between your computers and the internet—a kind of security checkpoint that controls information entering or leaving your network. If your firewall is not constantly running or properly configured, criminals can get access. Similarly, weak email account, computer, network or website hosting passwords can be bypassed by sophisticated software.
Stolen laptops, mobile phones, USB keys and paperwork can provide sensitive access details.
A recent survey by Forrester found the top source (36%) of data breaches in a 12-month period were insiders—a combination of inadvertent misuse of data by employees, and malicious leaks.