The problem is not technology. The problem is the person, or persons using it.

– Billy Graham

RISK MANAGEMENT

How individual behavior is changing cybersecurity in 2020

By Paul Cormier / paul.cormier@archetypesc.com

Since the very first product transaction, customer information has been a valuable commodity.

Today we understand that personal information — so much more than we ever dreamed — IS the product for sale. Everything we do and every place we go can be captured and sold.

Information is so valuable, in fact, that it is targeted each and every day by bad actors with bad intentions.

For evidence of how common compromised personal information has become, look at HaveIBeenPwned.com, which has recorded more than 9.3 billion accounts exposed in the past 6 years (2 billion in 2019 alone).

But despite the overwhelming reality of the figures we face, many continue to misunderstand the vast risk landscape and the very definition of what it means to be targeted.

Whether it’s the innumerable accounts and profiles we need to function in today’s society, the third-parties encouraging us to share our locations, create digital libraries and offer up our DNA or just the need to access free Wi-Fi and charge our devices in public places, our data is at risk all day, every day.

Some people simply succumb to the belief that defense is futile, and they likely have already been exposed, while others fumble with a lack of knowledge on how to protect themselves. But regardless of whether you choose to fight it or ignore it, the truth is that the risks are VERY real.

Perhaps nowhere are these risks more evident than for employers trying to deal with their employees’ poor habits when it comes to cybersecurity.

No matter how much time and money is dedicated to systems and software, if human behavior is ignored, the problem will not only persist, it will intensify.

Here are some of the growing number of signs that the link bewteen individual behavior and cybersecurity is growing for 2020 and beyond:

1. More devices, more problems

The number of handheld devices — smartphones and tablets — in use has exploded.

Twelve years ago there were 120 million cell phones in use … today there are 5 billion! iPhones alone have added 2 billion devices.

Experts predict that this number will continue to grow with more than 30 billion devices to be deployed by 2025.

With this many devices, it is only natural that a huge increase in cybersecurity attacks and threats will follow.

2. False sense of security grows

There’s evidence to suggest that the growing use of handheld devices may be making individuals less vigilant about cybersecurity than in the past.

A 2019 Verizon report on cybersecurity noted the “visibility and accessibility of handheld devices are contributing to the problem” with user-friendly designs that do not encourage people to be cautious.

Because these devices are “designed to make us flow from one application to another naturally, and almost without thought” users may not be as wary of security threats as they had been with computers in the past.

3. Android and iOS are at risk

In December 2019, Google deleted seven malware-infested applications from their Play Store. The applications were pulled because they opened back doors that allowed malware to be installed from external locations.

Though they are no longer available for download, Google isn’t deleting applications already installed.

Which applications? Alarm Clock, Calculator, Magnifying Glass, Magnifier with Flashlight, Super Bright Flashlight, Free Magnifying Glass, and Super Bright LED Flashlight.

If you happen to have any of these on your devices, delete them immediately.

And don’t think iOS users are safe from this sort of exploit.

Hacker News recently reported over 1 billion malicious ad impression exploit flaws targeting Apple users.

In some cases, intrusive pop up ads can forcefully redirect users to malicious sites. Earlier this year, a campaign allowed successful bypass of ad blockers on iOS devices and highjacked 500 million mobile user sessions in just one week.

Finally, researchers also recently found 1,000s of Christmas-themed applications with significant security flaws across both platforms, so if you have lingering holiday applications on your device, you should delete those as well.

4. Text messages are growing targets

In December, USA Today reported a database housing millions of SMS text messages was left open online for an extended period of time.

According to the report “the team was able to access the text messages because the logs were completely unsecured and unencrypted.”

Just a quick reminder that your text messages aren’t safe from harm either.

5. Your home is at risk, too

Our homes now have the same risk as businesses, without experienced staff.

In December, D-Link Routers published a list of known vulnerabilities but are not fixing them.

Home Networks include all kinds of devices, applications and connections including firewalls, antivirus software, malware scanning, printers, phones, televisions, lights, doorbells, refrigerators, thermostats, cameras, personal assistants, etc.

These Internet of Things (IoT) devices all have default settings and passwords readily available on-line and routinely need updates and patches.

6. Data breaches continue rapid growth

Data breaches again dominated the news for cybersecurity in 2019,  with a whopping 5,183 breaches in the past year according to MSN.

According to research from Risk Based Security, the total number of breaches was up 33% over the previous year and nearly 8 billion records were exposed in all.

There are too many to list them all, but even a small sample of these breaches serves as a stark reminder that attacks can affect businesses and organizations of all sizes:

  • Facebook recently announced 267 million Facebook accounts were compromised.
  • On Dec. 19, convenience store and gas station chain Wawa reported that all 800-plus locations were exposed to a data breach.
  • Cloud-based storage companies like Amazon Web Services and ElasticSearch repeatedly saw their names surface in stories of negligent companies in 2019, which left sensitive customer data unprotected in the open wilds of the internet.
  • 72 school districts across the U.S. representing more than 1,000 schools were breached in 2019. Schools are now second on the “most attacked” list behind cities and municipalities and just ahead of third-place, the healthcare Industry — which just saw a major blow when 15 million patients had their info stolen before LifeLabs paid the ransom to retrieve them.
  • Even locally in the Myrtle Beach area, healthcare organizations including Tidelands Health and Conway Medical Center, both experienced breaches announced in December.

7. Passwords remain the biggest problem

Password encryption continues to be a problem because individuals increasingly need many logins in their daily lives. Who can remember a dozen or more unique passwords?

Because of this, passwords are reused, rarely or never changed, or only slightly altered.

These passwords, which have likely been exposed by data breaches, can then be used to perform credential stuffing, an attack that gains unauthorized access to user accounts through large-scale automated login requests.

Microsoft reported that in the first three months of 2019 they found 44 million accounts reusing passwords found in breaches. In fact, 72% of consumers admit to recycling passwords up to 4 times.

According to the report, 90% of attacks start with individuals. Of those, 94% come from e-mail, and 45% from Microsoft Office attachments.

This fraudulent account takeover is responsible for millions of dollars stolen due to wire transfer account changes.

We have seen this at all levels, from public/private project owners to general contractors to subcontractors to employees and even human resources.

8. Antivirus protection is not enough

Only half of all malware is caught by antivirus software, according to 2019 reports. This is dramatically lower than historical success of 67%.

Advances in attacks coupled with the volume of devices and applications are outpacing application defenses, which means just having antivirus software installed on your computer is no longer enough to mitigate your individual risk.

9. Biometrics is not the solution

If you think facial recognition or fingerprints is the solution, think again.

The Verge published an article recently reporting that security company Suprema fell victim to a hack exposing the fingerprints of over one million people.

Biometrics is a growing technology that can be effective on many levels, but when individual behavior in cybersecurity isn’t a focus, even the most high-tech companies can fall victim to breaches.

10. Things might get weird in 2020

A December ZDNet Article, warns about AI-powered deepfakes, as well as ongoing ransomware, IoT, and 5G as examples of how risks will continue to grow stranger and more diverse in the coming year.

Renown Tech analyst Forrester predicts deepfakes — which take a person in an existing image or video and replace them with someone else’s likeness  — could cost $250 million next year.

This risk comes not only through direct damage to individuals and brands, but also in a toolkit for phishing gangs.

“AI tools are already available and in use faking the voice of company officers/executives, directing employees to fraudulently move funds,” the article states. “5G will serve to spread the disease and risk faster.”

So, what does all this mean for businesses?

If your focus is solely on systems, you are missing out on the fact that cybersecurity and individual behavior is as big a problem, if not bigger.

Your employees, your subcontractors, your suppliers (and their employees), are as much a threat to your business as unpatched servers.

The dollars spent securing your business data is at risk if all the users in your world are not protecting themselves.

In 2020 and beyond, cybersecurity must be viewed in much the same way as safety in the workplace was thirty years ago.

Zero tolerance must be the goal and incidents must be tracked, investigated, and remediated.

Take control of your security today!

Work with the cybersecurity experts at Archetype SC specialize in helping businesses understand and manage the risks associated with modern technology. Help lock down your most precious assets today with our Security Risk & Vulnerability Assessment (SRVA), which provides a detailed look at vulnerabilities in your system. Contact us today for a free consultation.

© Copyright 2019 Archetype SC, Inc.