Cybercriminals are intent on breaking through security defenses to gain access to corporate databases. Once access has been gained, they steal data to sell on to other criminals to use for fraud and identity theft. There are some exceptionally talented individuals out there who are doing this, but there are many less talented individuals as well who are doing the same. In fact, there are individuals with next to no talent or skill who are doing who are making big money because it is so easy.
It doesn’t actually take a genius to steal data from companies, even when robust security measures are put in place. That is because massive security holes are left unplugged. The door is being left open, and cybercriminals are just walking through it.
To prevent major data breaches and cyberattacks it is essential to make hard for cybercriminals. If it is hard, they are likely to look for easier targets. There are plenty out there, you must just make sure you are not one of them. It is much easier for them to take the path of least resistance or, in many cases, they take the path of no resistance. Some companies make it ridiculously easy for hackers and criminals to steal their data.
How easy is it? The global information group Experian took a close look by conducting its “life in a box” experiment. That study produced some very interesting results. First of all, the study quantified the extent of the current problem.
Between the start of January and the end of June 2012, a period of only 6 months, 19.7 million pieces of information were illegally traded online. To put that figure into context, 19.04 million pieces of information were traded in 2011. That’s the whole of 2011, BTW, not just the first 6 months.
The Life in a Box Experiment
Meet Steve. He knows his stuff. He is a typical web user who is quite knowledgeable on security matters. He takes precautions when using the internet, holds down a normal job and pays his taxes. He is also in a hurry most of the time because he has a lot to get done. Consequently, he makes some mistakes. Basic security errors, even though he believes he is quite security conscious.
Steve was presented with a few challenges for the study. These online tasks were set to find out just how easy he was making it for criminals to steal his personal data. During the study, this reasonably security conscious guy made three fundamental security mistakes.
- He was found to be sharing his passwords across a number of different online accounts
- He did not bother to check that a website was secure (had a padlock next to the URL) before disclosing personal information
- He did not update his web browser to the latest version when a security update or critical patch was released
Steve had set up 8 temporary email addresses during the study. It took only 5 hours for all 8 to be hijacked. His data were actually in the hands of criminals in multiple countries around the world within 5 minutes of the study commencing. Mr. “Reasonably Security Conscious” was not making it difficult for cybercriminals at all. Most of his fellow employees would have performed equally badly, and many a whole lot worse.
A vast amount of personal data is uploaded to the Internet
An incredible amount of data about individuals’ lives are uploaded to the Internet. Names, dates of birth, passwords, usernames, answers to security questions, bank account details, Social Security numbers, credit card numbers, medical information, consumer information, likes and dislikes. The list goes on and on.
If you are a little sloppy and are not particularly security aware, this information can easily be accessed by criminals. With just a little information it is possible to commit identity theft. Criminals use that information to create or obtain fake IDs that can be used to obtain further proof of identity. Then credit cards, loans, prescriptions, medical services and much more can be obtained. Bad security habits at work can see employers’ systems compromised and corporate bank accounts plundered.
There has never been an easier time to get into online crime
Personal information can be obtained using a number of very straightforward techniques. It is not necessary to be a hacker to do this. Any would-be criminal could pay to use an exploit kit and even be instructed how to use it. Phishing campaigns can be easily launched, social engineering scams developed, viruses and malware sent via email, and malicious code loaded onto pages and adverts on social media networks.
As long as web users continue to make it easy for criminals to take advantage, there will not be a shortage of individuals willing to try to defraud them. It may not be possible to prevent all cyberattacks but it is possible to make sure that only the most skilled and creative cybercriminals will have a chance of success.
Security awareness must improve in order to prevent corporate cyberattacks
Unfortunately, even with excellent security defenses installed, the sloppy security habits of employees can result in networks being compromised. All it takes is for an employee to respond to a phishing campaign, visit a website containing malicious code, install malware by mistake, or hand over sensitive information to a scammer and the door can be opened.
The Life in a Box study shows just how easy some people are making it for cybercriminals to take advantage. You can tell employees to only use websites that have a SSL certificate in place, or to look for a padlock next to the URL before disclosing personal or company information, but they will continue to make basic security errors.
They must be instructed on the risks, trained how to avoid risky behavior, and told about the methods cyber criminals use to obtain data, steal identities, and break through corporate cybersecurity defenses. They do not need to be turned into IT security experts, they just need to be taught how to act responsibly online.
You also need to put additional security defenses in place because everyone will make mistakes from time to time. You need to make it harder for cybercriminals to take advantage, and you need to reduce the number of times your employee’s security skills are put to the test. A Spam filter is a good place to start, and a web filter is also wise protection. Alongside security training, your network will be much better protected from attack.