1. Bribery by encryption
Maybe the most heinous of attacks this year was Cryptolocker. This program encrypts all the files on a user’s computer, then starts a countdown clock and demands a $300 payment to have them unencrypted.
If the clock hits zero, the encryption key is thrown out and the files remain locked forever.
Other attacks have made similar claims in the past, but it’s usually misdirection — the files are never really encrypted. But this one’s the real deal: Just ask the Swansea, MA, police department, which had to pay out to get access to their files again.
So far the only defense against this attack is to prevent it in the first place. That’s going to require constant vigilance from you and users.
2. I just called to say you’re infected
Phone scams were also on the rise this year. Hackers call users claiming to be from Microsoft, an antivirus company, or any number of other organizations claiming their computer is infected with malware, which they can help remove.
Remind users that IT has them covered with all the antivirus and protection they’ll ever need — and that no tech company would ever call a user to inform them of a malware infection. If they get one of these calls, hang up or forward it to IT (if your department needs a good laugh that day).
3. Mobile malware is here and growing
With more tablets and phones shipping than laptops these days, scammers and hackers are inevitably turning to mobile malware.
Android is still at a very high risk. iOS isn’t immune. Essentially, the threat isn’t likely to die down anytime soon.
Whether devices are on your network as part of BYOD or company-owned, the threat still exists. Mobile Device Management programs can help, and should be used in conjunction with antivirus programs and a good dose of user training and warnings to look out for anything suspicious.
4. Potentially unwanted programs
The Internet’s full of toolbars, search assistants and other programs that slow down systems. For some reason, users are lured into downloading these all the time.
Also known as PUPs, these are frequently more of an annoyance than a serious security risk. But the two could go hand-in hand.
Preparing for 2014
You can expect more of the same in the coming year – and probably a fair number of types of attacks, too.
But IT security isn’t divided by years. Attacks can come at any time. About the only thing we can guarantee is they’ll come at the most inopportune moments.
Here are some security principles you’ll want to focus on at all times to help prepare.
Training in threat recognition
Users can always use extra training on threat detection and avoidance. Tell them some of the key signs to look out for, and encourage a policy of “When in doubt, call on IT to check it out.”
The more information you can give users on what a threat looks like, the better prepared they’ll be to handle one. Keep in front of them with in-person training or even by forwarding news of hacks and data breaches.
Check your security policies
BYOD and cloud policies should be a part of your arsenal by now. But a lot may have changed since your last update of the policy.
Review it with your department to make sure that the information is still up to date and useful to your users. For instance, users probably are using personal cloud services, such as DropBox and Google Drive, at a much higher rate than they were at this time last year.
Know your weaknesses
The threat profile isn’t the same for every company. Look at your systems to see where you:
- could be at particularly high risk, and
- have data that would be valuable to hackers or is business-critical.
It starts at the top
Whether it’s building up your defenses or training users, execs are the group you’ll need getting the message the most.
On the one hand, they need to be the group that buys into security most. If users see that their bosses take information security seriously, they’re more likely to follow suit. And aside from that, this is the group that needs security training the most anyway, thanks to spearphishing and other targeted attacks.
Get as much face-time as you can with higher-ups. Show them their decisions on security matters can make all the difference between a profitable or unprofitable company.
The winning argument? Present security fallout in terms of dollars and cents.