The Top 6 Cyber Threats in 2021 and How to Protect Your Organization
The 2020 pandemic pushed the digital development of companies in every sector by about five years. But as companies become ever-more reliant on digital systems, they also become more vulnerable to cyber attacks and other digital threats.
According to one survey, around two-thirds of companies have experienced some sort of cyber attack, costing companies with under 500 employees an average of $7.5 million per incident. With increasingly sophisticated attacks on the rise, here’s what companies need to be looking out for in 2021.
Ransomware is a type of software that’s inserted into your computer systems by a hacker, at which point it encrypts your data. To decrypt your data and regain control of your systems, you must pay the hacker for the encryption key.
Ransomware attacks have skyrocketed in popularity recently, growing 350 percent in 2018 alone, and they can come from any source that allows the nefarious software into the network. In some cases, outside actors find vulnerabilities in your security that they can exploit, but these are the minority — in most cases, hackers are allowed in by unwitting participants through phishing emails, banner ads, Trojan horse software, or mobile apps.
The primary step in any IT security plan is education. Teach your employees and colleagues how to recognize phishing, how to avoid nefarious downloads, and how to keep their login information secure.
Another crucial step is to back up your data, ideally more than once. An onsite server that backs up data every hour is an excellent practice, especially when supplemented by an offsite or cloud server that backs up once a day. In the worst case scenario, if your data is held hostage, you can wipe it and restore from a backup.
2. Social Engineering Attacks
Social engineering attacks are a broad category that can come from almost any channel, but the unifying theme is that a social engineering attack convinces the target to open up access to the system willingly, as opposed to the hacker having to force their way in.
Social engineering attacks take many forms:
- Phishing: convincing the target to give up sensitive information, often by posing as an authority like a bank or government agency.
- Pretexting: creating a pretext to ask for information — a pretexter might claim to be auditing your accounting records and demand access to your payroll software.
- Baiting: offering something in return, like a cash reward or free download, in exchange for personal information. In one experiment, a full ninety percent of office workers were willing to surrender their password in exchange for a free pen.
- Tailgating: following someone into a restricted area in an office building without the proper authorization. In one case, a security consultant was able to set up an office in a meeting room inside the offices of a financial firm, where no one confronted him for several days.
When it comes to social engineering attacks, your office is only as secure as the most suggestible person in it. Put a heavy emphasis on educating people against suspicious activity and implement safeguards to prevent people from accidentally compromising security.
3. Supply Chain Attacks
Rather than targeting your systems directly, a supply chain attack targets one of the third-party tools your business uses. This might include an email client, payroll software, a customer database, time tracking, project management, or any of the other dozens of software services that modern companies use.
The unfortunate truth is that there’s not much you can do to monitor the security of a third-party application, but you can assess their security protocols before you grant them access to your systems. It’s also a good idea to build in a sort of digital bulkhead between your systems — if you get word that one of your third-party services has been compromised, you should be able to immediately pull the plug and revoke their access to any of your other information.
4. Remote Work Security
With the increase in remote work during the pandemic, IT security specialists started to deal with entirely new security problems. Employees are logging into company servers from a distance, potentially over unsecured networks, on personal machines that may not have the appropriate protections in place.
If your company employs remote workers, it’s worth your while to implement strict security policies for their home equipment and networks. Insist that they don’t use VPNs so you can keep track of IP addresses. Require password protection on all personal machines. If you can afford it, ban logins on personal machines altogether — buy your remote employees work computers with the right security measures in place.
Deepfakes — digital composite videos that can accurately mimic a real person’s voice and face — are getting more and more convincing at an alarming rate. Some of them only require a single source photo and a video made by the malicious actor to generate a lifelike video clip.
Deepfake attacks aren’t commonplace yet, but they’re certainly something to watch out for. Someone could, with relative ease, create an email containing a video of your CEO announcing that the company is going out of business and put it on YouTube. Alternatively, they could fake a phone call asking an employee for their login information and thus gain access to the backend of your site.
Again, the key is education. Recognizing deepfakes might not be plausible, but you can at least train your employees to confirm anything they hear over voicemail or in a video. If the CIO leaves a voicemail saying he needs the password to the credit card database, the person who received the voicemail should call him back at a known number to hear him say it directly.
6. IoT Vulnerabilities
The Internet of Things (IoT) refers to the billions of devices connected to the internet other than computers — connected appliances, thermostats, home security systems, health monitors, smart factory equipment, inventory trackers, and hundreds of other pieces of hardware that are connected to the internet.
IoT items tend to be far less secure than computers and phones, which makes them a potential risk vector for attackers trying to gain access to your network. Anything that’s connected to the internet might be a liability — in 2018, hackers managed to not only gain access to a casino’s wireless network but extract personal information on the casino’s high rollers through a wi-fi-connected thermostat in a fish tank in the casino’s lobby.
Using strong and unique passwords will help you mitigate security issues from IoT devices, but it’s also important to examine the security protocols of every device you connect to the internet in your office. If you don’t need IoT devices or work with especially sensitive information, don’t use them. If you decide that you absolutely need them, consider setting them up on an independent wi-fi network that will help isolate them from your computers and smartphones.
Begin a Conversation
Have a question? Want to connect about a problem? Interested in getting started? Whatever it is, we’re here when you need us.