David P. Nowacki, CISA, CIA
It’s not surprising that in the rush of the holiday season, best practices for avoiding cyber threats end up low on the priority list. Although it’s important to be vigilant year round, it’s especially important this time of year when cyber breaches are more common.
As a gift to you, I present a unique twist on holiday spirit with “The 12 Ways of Breach-mas.” Below are 12 scenarios in which you or the company that you work for, could be impacted by cyber threats this holiday season. Merry Breach-mas to all!
1. Phished on Black Friday
If you opened hundreds of unsolicited email ads during your Black Friday or Cyber Monday shopping, you may have been phished. Phishing remains among the most popular cyber-attack methods with close to 1 in 3 people routinely clicking on phishing emails. Think before you click and don’t give out your passwords…even when you’re offered a free Amazon gift card. Oh, and this should go without saying, but don’t phish at work. Your boss will thank you.
2. Skimmed by Convenience
During the holidays, convenient methods of purchasing or withdrawing money pop up to accommodate the need of hurrying shoppers. The result: public ATMs tucked into corners, mall kiosks with no one monitoring physical security, and volumes of credit card numbers waiting to be skimmed. Credit card skimming technologies are getting more sophisticated and tougher to detect. They can be the size of a pin head or exact replica overlays for the very ATM you’re using. Lower your risk by only using trusted locations such as banks or credit unions, and avoid remote ATMs and point of sale terminals. If that camera on the ATM is pointing directly at the PIN pad, walk the other way.
3. Gifting the Internet of Threats
You purchased a smart home device, also known as the “Internet of Things” (IoT) device for that special someone. They now have a coffee pot connected to their cell phone. Nice. With millions of smart devices connecting our homes to the internet this year, connectedness is certainly our future. But so is the “Internet of Threats”- the large portion of smart home devices built without an inkling of security. This year saw the first widely publicized distributed IoT attack when thousands of smart cameras were used to flood the internet with traffic, taking down access to popular sites like Twitter, Reddit and Spotify. There will be more attacks like this in the future. If you’re shopping for a smart home device, opt for the one with security if given the choice.
4. Skipped the Chip
Holiday shopping brings a bevy of convenient purchasing options for consumers. Pop-up shops and mall kiosks, Christmas tree vendors and boutique shops to name a few. Less sophisticated retailers often opt for convenience and are less likely to deploy a proven PCI-compliant payment card solution as it can be costly. Payment Card Industry data security standards exist for your protection, and many of the methods used by small retailers today such as swipe devices that attach to a monitor or tablet, are cost-effective but lack the requisite security protection. To ensure the highest level of protection, use a chip or pay with cash at small retailers.
5. Scammed CEO
Do you want your holiday bonus wired to North Korea? Me either. Fake CEO scams are a growing area of cyber threats. A Fake CEO scam is when the attacker poses as an executive of your organization and requests that your finance department wire money to a foreign account. Surprisingly effective, nearly $3 billion has been lost to this scam in the past two years. Mostly unrecoverable. Take this opportunity to make sureyour finance department is aware of this threat.
6. Held Ransom by Deals
Remember all those phishing emails you clicked while Black Friday shopping? Well, you provided valuable information to potential attackers, kindly letting them know that you’ll click on anything. The next threat scenario that will present itself is spear-phishing, or a targeted phishing attack. You’ll be emailed an opportunity to download a ransomware virus with the hope that you’ll accept. The ransomware will immediately take control of your computer and begin encrypting your files. You’ll have no choice but to pay a ransom for the encryption key. My advice to protect that holiday bonus: cross your fingers that the ransom is low, or that you (or your IT department) remembered to back up all your files.
7. Stolen Device
This classic data breach scenario is low on sophistication and high on carelessness. An employee leaves a laptop or cell phone in a car or a public place, and it’s stolen. Why is this important during the holidays? The last quarter of the year trends significantly upward with respect to device theft. Take this opportunity to educate employees that even in the rush to pick up some last-minute gifts, never leave devices unattended. Always encrypt and password-protect your organization’s mobile devices, and deploy remote data wiping software if it’s available. Your customers will thank you for protecting their data.
8. Baited by Fake Ads
If you’ve paid attention to the news lately, you’ve likely noticed an inordinate amount of discussion about fake news, particularly in the wake of this year’s Presidential election. The commercial nature of the holiday season provides no shortage in hype. Where there’s hype, there’s sensationalism, and fake news. Clickbait is a subset of this, wherein an attacker baits you into clicking on an article, product review, or an ad with a catchy headline or image. It is just as threatening as phishing, and the risks of downloading a virus or key logger are extremely high. Exercise caution when browsing or Facebooking and if a headline or deal is too good to be true, it probably is.
9. “Free” Wi-Fi
Cyber criminals know that during the holidays, travelers will spend more time in the airport than any other time of the year. They also know that people like free Wi-Fi. If you connect to an open Wi-Fi network and log into your online banking account or favorite social network, it may only take seconds for a hacker who’s “listening” to obtain your username and password. Minutes later they’ll have access to your account and by the time you’ve landed, the damage has been done. If you need to use public Wi-Fi, connect only to confirmed sources that use encryption and require a password. Use a secure VPN connection if you’re working. To be safe, set up alerts on your personal finance accounts, or avoid connecting until you get home.
10. Giving Your Identity
The holidays are a popular time for giving. Whether adopting a family in need or making a monetary donation, be reluctant to give out your credit card. Nonprofits are grateful for your donation and often provide a variety of ways to donate. Opt for proven solutions when donating. Online donation platforms are generally more secure than many of the POS devices or swipe apps. Use PayPal if it’s an option. When in doubt, donate cash or write a check to avoid giving your identity along with your money.
11. Greeting to Your Competitors
Thinking of sending out a New Year’s email greeting to all your customers or suppliers? What happens when your list of suppliers gets forwarded to a competitor? My most obvious tip probably goes without saying, but avoid leaking your competitive advantage by sending bcc, through a secure marketing automation program, or mail a physical card. Your competitors are already paying top dollar for any edge in market share, don’t give them a gift!
12. The IT Holiday
With many employees taking time off during the holidays, IT professionals often devote extra time at year end for “special projects”. It’s important that IT departments make sure that routine tasks like systems monitoring and security don’t take a back seat to these projects. Ignoring alerts and failing to leverage existing solutions is one of the easiest ways to have your systems breached. In fact, lax practices like this contributed to some of the largest data breaches of the past few years, including the Target breach. Remind your IT staff that even in down time, it’s important to continue to monitor your systems’ security. Oh, and thank them for working during the holidays!
In closing, cybersecurity doesn’t need to be the first thing on your list this holiday season, but it should be toward the top. Your heightened awareness of the variety of cyber threats will help protect you, your family, your clients and your company during the holidays. Merry Breach-mas!
How BlumShapiro's Cybersecurity Team Can Help:
Could your organization be vulnerable to a cyber attack? What is your current exposure? How would your business continue to function in the event of a breach? Our cybersecurity experts can help you address the vulnerabilities and risks your organization faces against cyber security threats. Remember, the costs of developing a security strategy you feel confident about are minor compared to the potential financial and reputation risk if an attack or breach occurs. Learn more about our services >