In 2021, chances are high that you or the company you work for will experience a data breach. Sometimes those hacks mean personal information is stolen, other times a company’s data is held ransom unless it pays. And, in the case of the Colonial Pipeline ransomware cyberattack, it means an entire industry is brought to its knees and part of a country is crippled.
Recent cyberattacks illustrate that while companies and researchers are developing stronger and stronger automated tools to detect and stop malicious behavior, we’re still highly vulnerable as more and more cyber criminals find and exploit bugs in the technologies we use every day.
BYU cybersecurity professor Justin Giboney is training the next generation of cyber experts to keep your information safe. Here Giboney answers a few questions to help breakdown the current cyber challenges we are facing and what individuals can do.
Q: Why is hacking such a growing concern for companies and nations?
A: Thievery and exploitation have existed for a long time. However, because we live in such a connected world, it is easier than ever for malicious people to reach us. Companies and nations need to be increasingly vigilant as their employees, customers, and citizens become more connected electronically. As the number of devices, apps, and connection points grow, so do the vectors and opportunities for malicious activity and the damage that can be done by that activity.
Q. What is the most common hacking approach and what are some red flags?
A. Phishing is by far the most common malicious internet-based activity. However, it is not “hacking.” Hacking is about getting a technology system to do something that it wasn’t originally intended to do. For example, adding a virus to a system is hacking. Phishing falls under another category called “social engineering,” wherein someone is manipulated to do something that isn’t good for them. Red flags of this type of malicious activity include:
- Unsolicited emails (if you didn’t start the conversation, question it, even if it says it is from a friend)
- Offers of rewards
- Punishments if you don’t do something soon
- Requests for you to call someone (companies and banks have their numbers posted online; call that one instead)
- Requests for gift cards, money transfers, or cash
- Complex-looking links (hover over the link)
- Grammatical errors
Once a person falls victim to social engineering, a malicious actor often uses hacking to get deeper into a system. Once inside, the now hacker uses ransomware to lock your data unless you pay and/or steals your information or a company’s information for continued malicious activity.
A. What should I do if my information is compromised, either from a company breach or individual action?
Your action largely depends on what has been compromised. If your password has been compromised, change it for that site (and any other site that uses that password, although you shouldn’t use the same password for multiple logins). If your credit card number or bank account number was leaked, call your credit card company or bank immediately. They have fraud units available to help. If a company leaked your data, they should provide identity theft protection for at least a year. If you or your company has been compromised, you can report it to the FBI using https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/identity-theft.
Q. What can individuals do proactively to be better protected from malicious activity?
A. Here are four things everyone should do:
- Be skeptical of everything on the Internet. Ask yourself, does this deal seem too good (or too bad) to be true, and does this seem like normal behavior from this entity reaching out to me? The IRS and other government entities don’t use email for important documents.
- Update your devices regularly. The large tech companies want to keep their customers safe. They provide security updates frequently. Updating will save you from many of the technological hacks.
- Use multifactor authentication on every site if it is available. Multifactor authentication makes it so thieves need your phone or other device to log in (making it much harder).
- Never use the same password on any website. You can use third-party authentication, like Google or Facebook, or a password Manager, like LastPass, to create long, complex and unique passwords for the sites you visit.
Q. What can companies/institutions do to better fend off hackers?
A. Unfortunately, cybersecurity is a cost of doing business. Companies are always trying to reduce costs. However, companies should be mindful of the expenses, including jail time for executives, of cybersecurity breaches. Companies should listen to their security officers and remember that they don’t just want new toys, but that they are trying to reduce the cost of doing business by building better walls to keep their assets protected. Companies should also maintain a culture of security starting at the very top. Reviewing the company’s cybersecurity practices quarterly is a great way to start.
Q. Where might hackers concentrate their efforts going forward?
A. Hackers are constantly trying to find bugs in software and operating systems that allow them privileged access to information. With the rise of Internet of Things (e.g., smart refrigerators), hackers have more connection points to penetrate our secret information. They will also find new ways to scam through social media. They will try to find ways to connect with us, but employ many of the same techniques they have in the past.