What is Cyber Security Risk? 10 Tips


what-is-cyber-security-risk

Your account has been hacked!  Your personal information, account numbers, passwords and medical information are now in the hands of total strangers to do with as they choose.  How did this happen? You’ve heard about cyber security, but thought it was just someone else’s problem.  Wrong again!  cyber security risk is a concern for every person with an internet connection.  It’s time to get more information.

What is “cyber security” risk?  Cyber security risk is the potential for risk or harm to you or your company in the event your digital system is compromised and data taken by an unauthorized user. That user’s intent would be to gain personal and/or confidential information.

That is a pretty short and direct answer. However, there is a lot more detail involved in cyber security risk. To do it full justice, we need to dig a little deeper and get familiar with the nuts and bolts.

What is Cyber Security Risk?

Let’s break this down a bit.  We are all pretty familiar with the word “risk”. We understand it’s meaning and probably don’t need it defined.

cyber security, on the other hand, is more of a vague term we’ve seen bandied about online but may not fully grasp.

Merriam-Webster[1] defines cyber security as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack”.

So, logically speaking, cyber security risk is the threat of cyber security failure, leading to unauthorized access or attack by an individual or group.

From a business standpoint, it’s more probably the risk of exposure or loss[2] that could result from such a breach.  In our litigious (that means lawsuit-happy) society, a security breach and theft of personal information can result in millions of dollars lost in lawsuits, bad publicity, tarnished professional image and lost public confidence.  This is a big game-changer.

Recent Cyber Security Failures

The last decade has seen a huge surge in cyber security failures.  Here are a few of the notables[3].

Adobe. In October 2013 Adobe was hacked by a security blogger. Though he is known, I won’t give him any credit by sharing his name here.  Adobe acknowledged the loss of identification and passwords for 38 million users.  The hacker later posted that information publicly on 150 million users.  Additionally,  customers names, identification, passwords and debit/credit card information were exposed.

Adobe had paid out over $1 million to customers as reparation as of November 2016.

Adult Friend Finder.  The Adult Friend Finder Network hosted adult-focused sites including Penthouse.com, Cams.com, and Stripshow.com. You probably get an idea of the nature of these sites. In mid-October 2016, the network was breached and the database of names, addresses, and passwords spanning a 20-year period was exposed.

This breach affected 412.2 million accounts, causing unknown levels of personal embarrassment.

Canva. This Australian graphic design website was hacked, and 137 million user accounts were accessed. The username, password,  email address and cities of residence were all compromised.

Partial credit card information was viewed, but not downloaded.

This prompted Canva to request its users change their passwords.  Later, an additional 4 million users saw their encrypted passwords shared online.

Ebay. A cyber attack occurring in May 2014 exposed Ebay’s entire account list of 145 million users for over 229 days to the cyber villains. Compromised were names, addresses, date of birth and passwords.

Credit/debit card information was stored separately and was not compromised.

Equifax. You may have heard of this little credit bureau. It was one of the biggest in the United States.

In July 2017, Equifax announced it had been the subject of a breach.  They estimated the breach began sometime in May.  An application vulnerability was exploited by hackers.

The personal information, including addresses, social security numbers, birthdays and, in some cases, driver’s license numbers of 147.9 million people was compromised.  An additional 209,000 people had their credit card information exposed.

Other big corporate hacks have included Dubsmash (162 million user accounts), Heartland Payment Systems (134 million credit cards exposed), LinkedIn (165 million user accounts), Marriott International (500 million customer accounts, including the credit card number and expiration dates of over 100 million customers). 

All these numbers are staggering, yet they aren’t the grand prize loser.  No, the biggest breach of the past 10 years belongs to…Yahoo. 

Between 2013 and 2014, Yahoo had the names, email addresses, dates of birth and telephone users of 500 million users compromised by what they described as “state sponsored actors”.  Then, again in 2013 another attack, by different hackers that compromised the personal information of 3 billion user accounts.

At the time the breaches were identified and made public, Yahoo was in the process of being purchased by Verizon.  The toll of these breaches on public confidence knocked an estimated $350 million off the purchase price.

That’s a pretty expensive mistake to make. 

Biggest Cyber Security Risks

Now, we’ve looked at the past and have identified why we should care about cyber security.  What about the present and immediate future?  What are our biggest cyber security risks now? [4]  Here are some of the biggest cyber security threats currently on our radars.

Phishing

Phishing is the term used to describe a cyber attack in which a carefully designed digital message or link is sent to fool the victim into clicking on the link.  When the victim does, it can either (a) install malware onto the victim’s system or (b) expose personal or sensitive data. 

Phishing has been around for a while. The biggest change is the perpetrators are becoming much more sophisticated with their “bait”.

Ransomware

This little gem, once it has infiltrated your system, literally holds your data “hostage” until you agree to pay the ransom.

With the recent increase in virtual funds like Bitcoin, this “ransom” is even easier to obtain and almost impossible to trace once paid.

Ransomware attacks are believed to cost victims billions of dollars annually.

Cryptojacking

With the recent rise in Bitcoin and other cryptocurrency, cryptojacking activity has seen an equal increase.

In this scenario, hackers are focused more on third-party home or work computers.  They utilize the increased computing power of all those hijacked systems to “mine” for cryptocurrency.

Social Engineering

These scoundrels rely on your own willingness to trust[5] to scam you.  Perhaps they send an email that looks like it comes from a friend. Maybe it’s a new Facebook account.  They send you something that looks legit and from a trusted source.

Then…they use your own trust against you to trick you into sharing personal information, such as passwords or account numbers. 

Or, they might send you a link to something that looks interesting.  You trust the source and click the link. Boom, instant infection with a malware virus.  Now, they just sit back and collect your information.

Connected or Semi-autonomous Vehicles

Loving that Bluetooth link to the car?  So do hackers.  That Bluetooth or other link may not be as secure as you’d like.  Hackers can utilize that weakness to hack into your phone.  What do most of us keep in our phones?  Internet connections.  We pay by phone or we use Google Pay or PayPal.  Maybe we even do online banking by phone.

Your car just gave the villains access to your information and you helped.

What are the Most Common Sources of Cyber Threat?

Who is it that keeps perpetrating these dastardly acts of cybertheft? What crafty villain do we need to identify and hold accountable?  Ok, a little less dramatic, but who/what are the most common sources of cyber threat in our world today?

Malicious Insiders

Surprisingly, one of the biggest threats to cyber security in the business arena are disgruntled employees.  These malicious insiders have the information and knowledge to get into the system and the anger or desire to “pay back” some real or imagined slight.

In a poll[6] of over 1,000 IT executives, over 30% identified malicious insiders as their top cyber threat source.

25% identified human error, caused by employee’s lack of technical knowledge as another primary source of cyber security breach.

State-sponsored Attacks

In the first 3 months of 2020, 17 different state-sponsored cyber attacks[7] have allegedly occurred, spanning the globe in terms of both victims and accused perpetrators.

Is your home computer at risk?  Probably not. State-sponsored attacks tend to focus on much bigger fish than your beloved Mac.  They focus on things like NASA, the Social Security Administration, communications companies, or the UN.

Does that mean you don’t care?  Absolutely not.  A successful attack on a communications system not only puts your personal information at risk, it could even bring the entire system down.  Now, extend that to, say an electric grid covering 5 states in the upper northeast U.S. Do you see the physical, psychological and economical damage that could occur?

Hackers

Whether individually or in organized groups, this is what we tend to think of when we think of cyber criminals.  The outcast kid in his bedroom, 2am, cans of Red Bull by his side as he breaks into NASA. The small group of young people, thirsting for justice in an unjust world, breaking into the CIA database and exposing fraud and cover up.  Great cinema, not great reality.

Yes, this type of hacker does exist. However, like the rest of society, hackers have become much more sophisticated.

A true cyber criminal hacker isn’t all that interested in “justice”. They are much more interested in your Visa account number, which he/she will be glad to sell on the Dark Web and make a tidy little bundle.

What Information is Most Commonly at Risk?

So, we know who the cyber criminals are. We know what they have done. We may not really understand why, but that’s a whole different discussion.  What I want to know is specifically what information are they looking for? 

The answer is “what do you have”?  Each cyber criminal may have a different objective in mind or, perhaps no specific objective, they will just take whatever they manage to find and use it accordingly. However, there are certain key pieces of information that are prime targets.

Account numbers

These are like gold.  But how would they access this information?  A common method is via phishing.

A link is sent to you. It takes you to a site that looks very similar to your bank’s website[8]. You are asked to enter your username and password.  To confirm your identity, they need you to enter your account number.  In one fell swoop, they have complete access to your personal banking information, your bank account any linked accounts or credit cards and so forth.

One way to catch this type of fraudulent activity is to look closely at the email addresses.  They are frequently close, but not quite accurate.  An example would be @gmall.com, rather than gmail.com.  Do you see the slight difference?  In the first, the “i” has been replaced with a “l”. Tough to see unless you’re really paying attention and the phishers count on that.

Credit Card Numbers

Another cyber criminal target will be credit or debit card numbers. With these, they can sell them on the Dark Web or go on a little shopping spree of their own.  How would they get this information?

A key favorite is a specific type of malware known as “spyware”. Spyware is actually a program or virus running in the background of your system.  You can’t see it, but it can see everything you do, including the keystrokes you use.  It can see every bit of data you enter. Easy enough to monitor until you decide to do a little Amazon shopping then, yep, your credit card number is in their grubby little laptops.

Ways to reduce this risk include always keeping your anti-virus software up to date, avoid clicking on unknown links, never download pirated or unauthorized software.

Passwords

It isn’t just your password they want. Nope, they want as many passwords as they can get.  Those passwords are fed into an automated hacking tool which is then directed at a specific website to try to “break” into the site. This is known as “credential stuffing”.

One source[9] estimates that 90% of all login attempts on retail websites aren’t actual clients, but these credential stuffers. 

Airline sites come in second with about 60% of login attempts coming from stuffers.  Online banking sites (58%) and hotels (44%) round out the top 4.

10 Tips to Reduce Your Cyber Security Risk.

You only have so much control over how big business manages its security. However, you’re fully in charge of how you manage the security of your own systems, including phone, IoT devices and smart appliances. 

Here are some 10 tips to help you reduce your own cyber security risk and manage the digital threat to you and your family.

1. Patches

Always download and install the most recent security patches on all of your software.  Cyber criminals are tirelessly looking for ways to get in. As soon as the smallest gap is identified, they will exploit it.

Like bugs through a torn screen door, cyber criminals are waiting for their opportunity.  Again, like that screen door, a patch will block entry.

Companies release patches when a weakness is identified.  The patch is designed to reinforce that particular area to reduce the chance of cyber criminals gaining access to your system.  Use the patch. Don’t make it any easier for them.

2. Password Management

Do NOT use “password” or “123” as your password.  I know all those different numbers, letters and symbols gets confusing and it’s really easy to forget them.

Is it easier to reclaim your credit, money or data once identity theft has occurred? 

Another thing to consider, don’t make a list on your phone or computer of your passwords.  Really makes it easy for the cyber bad guys once they get their hands on that file.

3. Encryption

Encrypt your data.  You can get simple enough encryption software even for your personal home system. Use it!

To make it even easier for you, here is a link[10] to a site that critiques the best encryption software of 2020 and even includes some FREE options.  What are you waiting for? Do it now.

No, it won’t keep cyber criminals from getting into your system, but it will reduce the chance they can actually use the data they manage to steal.  Why give them anything?

4. Sensible Internet Browsing

This is so straightforward and yet so easily ignored.  When surfing on the Web or opening emails…don’t open any questionable links!

I know you want to see the 3-legged boy with the beard to his waist.  Don’t do it. Your sister-in-law just opened another Facebook account and wants to share with you?  Call her and confirm before assuming it’s really her.

That face cream guaranteed to reduce your wrinkles in just 3 days.  Don’t click the link!  If you really want it, do a Google search for the name and go directly to the website.

5. Attachments

This may be a bit more business focused, but it can apply at home, as well.

Many of the newer phishing techniques include an email, generally from someone you think you know, with an attachment.  Open that attachment and….BOOM!

Do not open attachments from people you don’t know.  Carefully examine attachments from people you do know before opening them.  Is this something you were expecting?  Is there a reason for this person to send you something like this?  If not, use your phone and ask that person before opening the link

The attachment does nothing until it’s opened.  This is your best defense and the time to be proactive and protect yourself.

6. Back It Up

That’s right, back up your data. Regularly. Without fail.  Sometimes, life happens, and you have a breach. Having a recent backup of your pictures, data, whatever is the best way to recover from a loss you may experience.

This will NOT protect you from cyber theft if you’ve stores usernames, passwords or account numbers on your computer.  However, it will protect other, possibly irreplaceable items from being permanently destroyed.

This step could scarcely be any easier. Enable auto backup. Wow, you don’t even have to think about it, your device does all the work for you.  Be sure to thank it later, you know, when you’re done browsing top 10 ugliest cats online.

7. Firewalls

If you don’t have an antivirus software and firewall on your system by now, shame on you.

These are so easily available and totally affordable (can you say FREE) that there is no excuse not to be protecting your system. Honestly, I almost didn’t include this because it is so basic.

Then, my neighbor lost all of her information after a cyber attack. Only then did she realize she had never updated her software subscription and it had lapsed.

Think of this like the lock on your front door. It is literally your first line of defense and should never be ignored, allowed to lapse or not utilized.

8. Credit Card Data 

Simply put, don’t store it on your system!

If we’re talking about your personal information on your personal system, you and I have already talked about this. Don’t let Google save those numbers. It doesn’t take long to enter them in and, worst case scenario, it gives you time to reconsider if you really need that 16’ sub sandwich.

If you’re a small business owner, don’t store your customer’s information on your system either. Be smart. Use options like PayPal or Stripe to manage those payments. Then, if there is an issue, it’s that organization’s liability, not yours.  Frankly, you can’t afford the risk of loss.

9. Physical Security

Again, this probably seems basic, yet so frequently overlooked.  Don’t leave your stuff laying around.

How easy is it to break into your information if they have already stolen your device?  Yet I see people leave their cell phone on the table at restaurants while they run to the restroom. I see laptops sitting in front seats of cars, I see tablets left unattended on the beach.

Not to mention people using their devices in free Wi-Fi areas, like coffee shops, without even bothering to try to cover their passwords as they access their devices.

10. VPN

That’s right get a VPN (virtual private network). This little software miracle reroutes your information through the provider’s servers. This “hides” your actual IP address, making it much more difficult for the cyber criminal to find your computer.

If you’re not particularly techie, that sounds vastly complicated. It isn’t and they’ve made it even easier for you.

There are hundreds of VPNs available. Some are free, some aren’t.  To make your life easier, follow this link to see VPNSuccess.com top VPN Services for 2020 with cost and comparison data.

Your VPN does more than just mask your IP address, it can make it safer to access public Wi-Fi systems, as the information is going through the VPN server, not directly into your system. It can protect your personal browsing history from being sold.

A VPN system can be extended to cover all of your devices. In my home, it covers my laptop, my husband’s and my tablets, both of our cell phones and even our Wi-Fi router.

Take that cyber criminals!

Final Thoughts

If you have the internet, which I assume you do, and you have a connected digital device, you have cyber security risks and your personal information is in jeopardy.

If you are alarmed after reading this article, good.  You should be.  There are unknown numbers of cyber criminals out there, just looking for a way into your system.

If you take even one of the 10 tips provided to you and apply it to your system, I consider this article to be a major win.

Any single step we can take to defeat the cyber criminals and protect our own information is a win in my book.

We all work hard for our money, for our credit cards, for our bank accounts. We don’t need to give it away simply because we didn’t take the time to learn how to protect ourselves and our systems.

The first step in winning the cyber war is knowledge.  Be informed.  Read more and understand exactly what the threat is and how to minimize it.  Knowledge is power.

The second step is action. Take your knowledge and apply it. Buy the firewall or VPN. Update your virus definitions regularly. Monitor your system’s health just like a good doctor.

Be suspicious.  Would Aunt Mabel really send you that link? Do you really think the government is suddenly giving $75,000 to every American over age 50? When in doubt…DON’T CLICK!

Run your virus program frequently. Have your system swept at least once a week, and I mean a complete sweep. I know it takes a little time. Go grab a cup of coffee and throw the ball with the dog for a few. Your system and bank account will appreciate the effort.

Be cyber wise, my friend. None of us want to be a victim. Let’s start by being smart. It won’t stop the cyber criminal from trying, but it may just stop him/her from succeeding with you.

Related Questions:

How do you conduct a Cyber Security Risk Assessment? A Cyber Security Risk Assessment’s goal is to look at what’s been done for Cyber Security and compare this with best practice. The differences are assessed for the risks they pose.

How do you determine Cyber Risk? To determine Cyber Risk, the likelihood of the risk is compared to the impact. This will give a resulting low, medium, high and critical risk grading.

[1] https://www.merriam-webster.com/dictionary/cybersecurity

[2] https://www.upguard.com/blog/cybersecurity-risk

[3] https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

[4] https://onlinedegrees.sandiego.edu/top-cyber-security-threats/

[5] https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering

[6] https://www.govtech.com/security/The-Biggest-Cyberthreat-Malicious-Insiders-Poll-Finds.html

[7] https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents

[8] https://economictimes.indiatimes.com/tech/internet/internet-security-101-six-ways-hackers-can-attack-you-and-how-to-stay-safe/articleshow/61342742.cms?from=mdr

[9] https://www.forbes.com/sites/leemathews/2018/07/20/heres-what-hackers-do-with-all-your-stolen-passwords/

[10] https://www.techradar.com/best/best-encryption-software

Recent Posts