Four types of breach you need to know about
Ransomware, breaches and more: evolving cyberthreats in the pandemic era
Cyberattackers are constantly discovering new ways to steal your data and dollars. Our three-part cybersecurity series has explored the many ways cyberthreats have evolved in the era of COVID-19. This article outlines some of the newest ways a threat actor can access your home, networks, and private data.
Threat actors have never shied away from potential money-making opportunities—even if it relies on exploiting people’s emotional vulnerabilities. According to the Canadian Anti-Fraud Centre (CAFC), attackers are now tricking people into paying large sums of money to jump the COVID-19 vaccine queue, a scheme that’s only possible in today’s unique health crisis. They’ve also found ways to steal Canada Emergency Response Benefit cheques and other information using pandemic-related scams. The CAFC estimates that Canadians have lost $7.2 million to COVID-19-related schemes.
While tapping into people’s pandemic fears appears opportunistic, it’s further proof that cyberattacks are evolving beyond the simple phishing scam. Over the last few years, threat actors have developed more sophisticated ways to steal information. From fake text messages and threatening Canada Revenue Agency (CRA) calls to increasing internal threats to Internet of Things (IoT) device breaches, there are now numerous ways for an attacker to steal highly personal information from their targets.
With so many people now working from home, cyberattackers have adapted. Breaking into someone’s digital thermostat to enter their network wouldn’t have occurred to a threat actor a year ago. Now, if sensitive company information is on a home network, breaching an IoT device could provide an attacker with a goldmine of data ready to be sold on the black market.
Understanding how attackers are stealing their information is the first step for organizations and their employees in protecting themselves. Especially as working-from-home becomes a more permanent arrangement for some people and threat actors continue to innovate. Here are four of the top ways breaches are occurring today.
1. Phishing still number one
Phishing scams—where an attacker sends an email to a target intended to either get them to use private details to log on to website or install malware on their computer—are still the most prevalent threat. According to CSO.com, 94% of malware is delivered through email, while 80% of reported security incidents stem from a phishing attack. Over the years, it’s become harder to identify these threats. Fake emails that were once easy to distinguish now look as if they’re coming directly from a person’s bank or company. In many cases, attackers use personal details they’ve stolen or found online—health, family, or workplace information—to create emails tailored to people’s circumstances. All of this makes it harder to distinguish what’s real and what’s not. Phishing may be a familiar threat, but it’s increasingly harder to combat.
2. Insider threats from home
Employees are often a vulnerability for an organization when it comes to data security. They can inadvertently reveal confidential company information to friends, acquaintances, competitors, and others without realizing it. The newest insider threat, though, is unsecured personal devices used for company business. While working remotely, staff regularly use home computers to access sensitive information. If this information became exposed, it could put a business at risk. Threat actors are increasingly targeting home networks to gain access to these personal devices. Attackers are also infiltrating virtual calls, even going as far as physically breaking into homes. People are also throwing out papers without shredding them, leading to dumpster diving—another information-stealing tactic. Most staffers aren’t fully aware of this risk and are unaware of the policies or systems designed to protect them.
3. Phone scams continue
By now, nearly every Canadian has received a call from a fake CRA agent demanding they settle an unpaid bill or submit their social insurance number. According to the Royal Canadian Mounted Police (RCMP), scams like these have led to the theft of $16.8 million between 2014 and 2019. New COVID-19 pay scams are emerging. These target people online or over the phone, hoping to obtain pandemic-related cheques or information to expose an individual’s benefits. Often aimed at seniors, anyone can get duped into handing over sensitive company information by scammers posing as a tax worker, doctor, or other professional. Organizations should educate their staff to identify these scams and act accordingly.
4. IoT breaches increase
Our homes are increasingly more connected through IoT devices, such as smart thermostats, front door video cameras, voice-activated assistants, internet-connected blinds, and more. While these technologies may make our lives easier, many are also vulnerable to attack. According to Nokia’s Threat Intelligence Lab, nearly 33% of all mobile and wi-fi network infections stem from IoT device breaches, up from 16% in 2019. Most of these devices don’t have adequate security. Attackers have found ways to break into one of these gadgets and then breach a home network. Threat actors can also use the data from these devices against a target. For example, a thermostat cooling every day at the same time could be an indication that a person is not home. It’s also possible to break into a security camera and see who is coming to a front door or is inside a house.
Shielding your organization from growing threats
Protecting your organization, employees, customers, and the many other people potentially affected by security breaches of your business takes some work. But it has to be done, or you risk reputational, financial, and legal damage. Start by identifying what kind of data your company must protect. It could be financial, client, human resources information, or all of the above. A good starting point: think about the information that you wouldn’t want falling into the wrong hands.
Then look at what data privacy regulations your company must abide by—there could be many. The forthcoming Consumer Privacy Protection Act will regulate those operating in Canada. The General Data Protection Regulation is already used to govern Europe. Certain industries may also have specific privacy standards.
Once you understand your data, what you need to protect, and the regulations you must follow, you start putting policies and controls in place. These could involve stricter control on who gets access to what data. Maybe your organization decides to issue laptops to staff instead of having them use their own devices. An end-to-end assessment of security measures can be invaluable, helping you identify what more you can do to protect your organization and employees. A cybersecurity roadmap and strategic plan can also ensure your data is shielded by the proper privacy laws. It’s not a matter of if an attack will happen. It’s a matter of when. Cyberattackers are constantly searching for new ways to exploit information. The sooner you plan for a potential breach, the better off you and your clients will be.
Business Development Senior Manager
Detect & Respond Cyber Risk Services
Manager, Threat Intelligence & Threat Hunting
Deloitte Cyber Intelligence Centre