Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

3 Common Cyberthreats and How to Handle Them

Cybersecurity Assessments

Did you know that we’ve just come to the end of National Cybersecurity Awareness Month?

When you think about it, October is a fitting choice for such a designation. After all, this is the time of year we’re all watching scary movies about vampires, zombies, and—if you’ve got classic taste—Michael Myers.

Fright of these fictional monsters is part of October’s annual charm, but when it comes to your cybersecurity, the fear of breaches is decidedly not charming. It’s not a nice feeling to know there are actual malicious actors out there, lurking like Halloween ghouls, waiting to find a weakness in your applications, networks, or employees so they can take advantage, leaving you with financial and reputational losses.

As a top cybersecurity assessment firm, we understand what it takes to comply with many different security frameworks, including how to keep any digital “monsters” out of your networks.

In this article, we’ll go over three of the prominent methods cybercriminals use to exploit organizations—phishing, insider threats, and ransomware—along with some basic mitigating tactics you can use against them.

As with haunted houses, the scariest things are what we don’t know is out there, but having read this article, you’ll be more on your toes and ready for the next jump scare.

3 Cyber Threats You Need to Know About in 2022

1. Phishing

You’re likely already familiar with the concept of phishing attacks—someone poses as a legitimate institution, often through website ads or e-mails, and dupes you into providing your personal information. Should anyone at your organization click on the wrong link at any given time, suddenly the “horror movie” has manifested itself and made you an example of the price paid for lax cybersecurity.

Common hallmarks of a phishing scam include:

  • Too Perfect: As in, the idea—a cash prize or something similar—is too good to be true.
  • “Act Fast!”: Sometimes, cyber criminals will even threaten negative consequences if you don’t provide personal details immediately, like shutting down your account.
  • Subtle Hyperlink Deception: Bad actors will get sneaky with their URLs—at a quick glance, you might read bankofarnerica.com and see nothing wrong, but if you examine it closer, you’ll see clicking it won’t direct you to your bank.

Phishing actually falls under the larger umbrella of social engineering, which encompasses more tactics that take advantage of unsuspecting people.

2. Insider Threats

The human element to your cybersecurity is also particularly important when it comes to dealing with insider threats. Phishing may originate externally, but insider threats come from within your organization—think employees (current and former), vendors, or other stakeholders. They use their authorized access to do harm—whether they’re being deliberately malicious or unwittingly negligent.

Examples of insider threats include:

  • Those who exfiltrate data after being fired or furloughed
  • Those who sell company data or trade secrets for profit
  • Lax third-party vendor security (which was responsible for the infamous Target breach)

The point is that you not only have to worry about those who don’t have access getting into places they shouldn’t—you also have to worry about those that do have access.

3. Ransomware

Finally, we come to ransomware—one of the most prevalent of cyberthreats at the minute. What was a popular buzzword has become extremely lucrative for cybercriminals. A type of malware, ransomware allows a hacker to encrypt a victim’s file system and revoke the organization’s access so that they can extract money in exchange for the data and/or restoration of access.

These criminals often use the following to get their exploitation malware onto your systems:

  • Phishing—mentioned above
  • Drive-by downloading—when a user unknowingly visits an infected website, at which point malware is downloaded and installed without their knowledge.
  • Poor patch management – Internet-facing servers or services with unpatched vulnerabilities allowing remote code execution (RCE). When this type of issue is exploited, an attacker gains a foothold on your infrastructure, they can execute ransomware, or pivot deeper within the network.

 Not only do you stand to potentially suffer an irreversible loss of your data, but the ransom numbers that must be paid aren’t always small peanuts either—the highest known ransom payment to date was $40 million USD paid by CNA Financial in 2021.

Given that 2021 also showed a 100% increase in the attacks themselves, it’s long past time to start taking these threats seriously.

How to Mitigate Cyberthreats

So then, how to equip yourself with the right tools and—perhaps most importantly—informed employees in preparation to defend against these villains? 

Take Internal Action

Let’s break down these two facets we mentioned and provide some basic starting points:

Tier

What You Should Do

Tools

At a baseline, do you have these in place?

  • Firewalls
  • Intrusion detection and prevention systems (IDS / IPS)
  • Antivirus (AV) and Endpoint Detection and Response (EDR) software

To take it up a notch, have you implemented these?

  • Multi-factor authentication (including FIDO2 varieties, such as YubiKeys)
  • Password management tools (such as Bitwarden, 1Password, KeePass, etc.)
  • Consistent patching / security updates to the OS itself and 3rd-party software

People

Instill a clean desk policy

Mandate adequate security training and awareness activities

How to know what’s “adequate?”

  • Don’t just outsource: evaluate applicable information from your privacy and security policies and align the security training objectives with those of your organizational mission
  • Make sure this includes education, so your employees know how to spot phishing, pretexting, baiting, and other social engineering tactics (done in a way that suits them, so the information sticks)
  • The better an organization’s security training and awareness, the higher the number of reported incidents should be among its employees, and the smaller the risk of a breach
  • Engage a trusted third party like Schellman to conduct realistic phishing simulations on a quarterly or more frequent basis

Human error remains one of the biggest threats against security, but your staff can also serve as the biggest assets here as well—they just have to know what to look for while going about their work.

For more information on how to build a successful cybersecurity program across the board, read our article on the 5 cornerstones you need.

Leverage Security and Compliance Assessments Against Cyberthreats

Many organizations already have to comply with different industry standards such as NIST, PCI, ISO, and HIPAA—adhering to those best practices within the frameworks will help tighten your security. You also might consider penetration testing, of which there are different types that will simulate specific cyberattacks on your networks and applications to discover your vulnerabilities:

Our penetration testing team does perform all of these, but in light of the epidemic of ransomware, in particular, we’ve also created a service that addresses this specific cyber threat—it’s called our Ransomware Preparedness Assessment.

To support you in shoring up your cyber defenses, we also created a Ransomware Checklist you can use for an internal evaluation, but this relatively quick assessment will evaluate those efforts and determine if you’re really ready against such threats—such independent confirmation will help you sleep better at night.

Next Steps for Your Cybersecurity

October may be National Cybersecurity Awareness Month, but the need for cyber defenses is year-round, especially now as attacks continue to grow more and more sophisticated. Awareness is key—for you and your staff—and now you know about three big approaches hackers use.

We also provided tips and other resources to help you shore up your protections, along with new unique assessment options that can support those efforts—if you think you may be interested in exploring the possibilities for added reassurance, please contact us.

In the meantime, for more tips on personal accountability and security, the National Initiative for Cybersecurity Careers and Studies (NICCS) is a great resource that offers good details on how individuals should be cognizant of internet use from both a personal and professional standpoint.

You might also check out our other content on other cybersecurity resources and threats so you can take all the necessary steps to protect yourself:

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.