Is there a profession where time or place doesn’t matter, there is no dress ethic, you don’t have bosses, or numbers don’t matter? The truth is that no, or at least we don’t know of any, but the closest thing to that topic is the activity of cybercriminals. Their day-to-day activities encompass multiple disciplines and technical skills used from “the dark side,” generally to obtain economic benefit.
Targets of cyber criminals
Talking about concepts such as fraud, extortion, blackmail, or deception implies discussing cybercrime. These concepts are less face-to-face and more digital. Cybercriminals adapt to the temporality of various situations; For example, in 2020, their efforts focused on the global pandemic, attacking pharmaceutical companies, laboratories, and suppliers, allowing them to hide among the tide of information to go undetected.
Their main objectives are usually those that report the greatest benefit in the shortest possible time since, in this way, they reduce the chances of being discovered. In this sense, teleworking is the perfect “breeding ground” for cybercriminals to attack BYOD devices connected to companies whose defensive barriers are often neglected by their users, presenting vulnerabilities that cybercriminals can exploit.
The use of insecure Wi-Fi networks, the cloud, remote access without VPN, video conferencing or collaborative applications, corporate email outside the organization’s control, out-of-date devices, social networks, and passwords is also frequent among users. Unsafe and a host of other situations.
All of this increases exposure to cybercriminals, whose goal will always be the same: make a profit and flee.
The method does not matter if it brings benefits
Everything is valid as long as an economic benefit is obtained from the theft of information, such as the “kidnapping” of data with the added ransom. In this sense, the techniques of cybercriminals are very varied, although they usually share a modus operandi based on three main phases:
- Selection of the objective: Generally, those companies with obsolete equipment that present vulnerabilities or are unconcerned about cybersecurity.
- Implement malware through social engineering techniques, getting the victim to carry out a previously planned action (sending viruses, malware, etc.).
- Execution and concealment: Extraction of information, rescue if necessary, and disappearance from the scene with the shortest possible exposure time.
Currently, there is a large amount of information on the Internet about techniques that allow anyone to carry out intrusive actions of a certain sophistication. This causes the number of cyber incidents to increase considerably, exposing the attack surface of companies to a wide variety of individuals with little knowledge, looking for vulnerabilities or “entry doors” to the systems.
If we add to all this the fact that there is not great awareness among employees in terms of cybersecurity, and therefore they access websites with a dubious reputation, download from unreliable sources, neglect their personal devices without applying updates, use pirated software or they use the mail in a disinterested way. We would have the necessary ingredients to suffer a security incident that affects the company’s continuity.
On top of that, the widespread use of default or easy-to-guess passwords and unsecured Wi-Fi networks give cybercriminals plenty of targets to choose from.
Finally, suppose the cyber attacker has not achieved his objectives. In that case, it will be time to take action using the most effective technique: social engineering, which ranges from deception with commercial campaigns to fraudulent emails or calls from false technical support. These examples are only a small sample of the potential of this technique that allows cybercriminals to complete a complete profile of their victim before launching their attack.
How to protect yourself
Generally speaking, obtaining a minimum level of protection in cybersecurity is relatively easy. This implies paying special attention to the following points:
- Use strong passwords, which contain numbers, letters, symbols, uppercase, and lowercase, and are not words that can be in a dictionary or combinations of too simple letters. The minimum length must be at least eight characters, although the recommended length to be considered safe is 14 or more. It should be remembered that passwords must be personal and non-transferable and not be provided to anyone under any pretext.
- Use antivirus and antimalware programs with real-time protection, constantly updated and from well-known manufacturers. Having two or more antiviruses simultaneously is not a good practice since we will be reducing the effectiveness of the software since they could cancel each other out.
- Keep the software of the devices permanently updated. An out-of-date program may have vulnerabilities that cybercriminals could exploit to break into systems and steal information.
- Encrypt sensitive company information. Photos, documents, databases, etc., should be encrypted with strong passwords as if a system is compromised, it will be more difficult for the cyber attacker to use sensitive information.
- Regularly use secure networks or VPNs (Virtual Private Networks) in teleworking or browsing the Internet, thus ensuring that the information cannot be seen directly by third parties, and at the same time, certain anonymity depending on the type of protocol used.
- Use secure Wi-Fi networks in hotels, restaurants, airports, shopping centers, etc. It is common to find open Wi-Fi networks with popularly known or provided passwords and with a multitude of connected users.
In these cases, carrying out operations that carry risks through these channels is not recommended. Bank inquiries or personal or business services, such as email or social networks, should be avoided.