Even if you are not in the IT department of your company, it is helpful to understand some common cybersecurity terms. Knowing them will give you a shared language in speaking with the IT team or your IT provider. Not only will I define these important terms, but I will share advice for increasing the cybersecurity of your company. Note that an IT team does not automatically provide cybersecurity. Verify that your IT provider, whose main purpose is to manage and maintain the technology infrastructure, is also putting cybersecurity systems into place. Cybersecurity is the practice of protecting networks, systems and data from cyberattacks.
Let’s start with a common way cybercriminals gain sensitive information or gain access to computer systems: social engineering. This is when cybercriminals use deception to manipulate people in the company to provide confidential information or give access to a system. As humans can be the weak link to opening up secure systems to those with malicious intent, cybercriminals target employees’ emotions and logic to get what they want.
These criminals can use phishing or smishing to contact employees to carry out their manipulations. I’m sure you’ve heard of phishing: emails sent by cybercriminals to trick victims into providing sensitive information. This information includes credit card numbers or passwords. It also includes Personally Identifiable Information (PII), the data collected on employees (social security numbers, addresses, personal email addresses, telephone numbers, etc.).
Phishing can also be used to trick employees into downloading malware: software that disrupts or damages computer systems or gives the cybercriminal access to the system. Smishing is phishing’s cousin: the use of SMS (texts) sent to cell phones to contact the victim.
There are other specific types of phishing: spam, spear phishing, and CEO fraud. We have all received spam, unsolicited bulk emails sent for advertising or for malicious purposes. While spam is sent indiscriminately, spear phishing is a targeted attack aimed at a specific individual or organization. In this case, cybercriminals send well-prepared messages that are tailored for the social engineering of those who receive the messages. They may resort to CEO fraud in which the attacker pretends to be a senior executive of the organization. It is a well-known fact that people are likely to consent to a questionable activity if the order comes from an authority figure. The cybercriminal capitalizes on this human factor.
As mentioned, one of the goals of the cybercriminals is to install malware. One kind of malware that is alarmingly common is ransomware. Using social engineering or hacking, the cybercriminal gains access to a computer system and installs software that blocks access to the computer system until a ransom is paid. According to studies, the amount of the ransom represents only 15% of the financial damage that it incurs by stopping operations and restoring operations.
Another tactic the cybercriminal may take is a man-in-the-middle attack, one in which the attacker intercepts and alters communication between two parties without them knowing it. The goal, of course, is to gain sensitive information that can be used for the attacker’s own malicious purposes. The cybercriminal gains access through an unsecured access point or phishing. One common unsecured access point is Internet of Thing (IoT) devices which are objects (washing machine, oven, coffee machine) that are connected to the internet through a router. The cybercriminal is thus able to gain access to the router and therefore to the entire system.
Now that we have explored some of the most common ways cybercriminals attack businesses, let’s explore some of the most powerful defensive mechanisms that your business can implement. A combination of several of these strategies will provide optimal protection against cyberattacks. We’ve seen that the weak point in businesses is often the employees themselves. Social engineering makes them vulnerable to willingly sharing sensitive information. Thus, a powerful shield in the arsenal must be a Human Firewall in which employees become a firewall by resisting the manipulation of cyberattacks. Evidently, training is key to transforming employees into a human firewall.
As for technology that protects a company from cyberattacks, there are several solutions. One is using a VPN (Virtual Private Network) which provides a secure connection between devices connected to the internet. It is even more useful for protecting data when employees are working outside of the office. This is why the VPN grew in popularity during the pandemic. Also, having an antivirus installed is key to detecting and removing malware from a computer system. A more recent development, Endpoint Detection and Response (EDR) incorporates antiviruses and other security products to provide a real-time continuous monitoring solution relying on automation. An EDR is even more critical when employees use their own personal devices for work.
It is well-known that it is a best practice to choose complex passwords, one that includes upper- and lower-case letters, numbers and symbols. But practically, it can be laborious to insert the correct password. This is where a password manager can prove worthwhile. It is one secured program that stores encrypted passwords for all programs. So, by entering the master password, the manager will autofill the log-in credentials for any program. You may opt for more than just a password to gain access to programs. In this case, a common solution is Multi-Factor Authentication (MFA), a security process that requires more than one manner to authenticate the user’s identity.
Knowing these seventeen useful cybersecurity terms will help you better communicate with your IT team about securing networks. You now know some of the dangers, but more importantly, you know some of the solutions to defying cyberattacks.
