91% of all cyber attacks begin with a phishing email to an unexpected victim
8 simple practices towards cyber-resilience
KUALA LUMPUR, 9 January 2020 - Cybersecurity practitioners have, for many years, been promoting the adage ‘it's not if, but when’ organisations will be impacted by a cyber attack. With attackers adopting and deploying increasingly advanced and sophisticated tools, and organisations struggling to address cybersecurity challenges - not least talent and skill shortages - ‘if, not when’ is probably true for most organisations today.
The cybersecurity community generally believes that many of the security breaches in recent history were avoidable. For instance, research suggests that 95% of security breaches in 2018 could have been prevented, and that many of the techniques attackers used to successfully breach systems in 2018 remain the same as those used historically. In a more specific example, investigative reports describe the 2017 data breach suffered by the US credit bureau Equifax, which disclosed personal detail of more than 140 consumers, as ‘entirely preventable’.
While it is impossible to conclude definitively that the relevant security breaches would not have occurred even if stronger security controls were in place – after all, it is difficult to stop the most advanced and determined attackers – these reports suggest that it is far too easy for attackers to achieve their objectives.
Failure to adhere to basic cybersecurity principles, a concept which is becoming increasingly known as ‘cyber hygiene’, leaves organisations vulnerable to security breaches. Recent research reveals that over 80% of breaches involved the use of weak or stolen passwords; as access to corporate networks and applications are increasingly through corporate mobile devices or employee personal devices under BYOD schemes, poor cyber hygiene at an individual level does have a direct impact on enterprise security – and attackers are certainly leveraging on individuals as the entry point to corporate systems and data.
Therefore, what can we as individuals, do to better protect both ourselves and by extension, our organisations from these attacks? Below we highlight several practices that would improve our overall ‘cyber hygiene’:
Install security software on mobile devices
Driven by an increase in sensitive data held on mobile devices and trends in the use of mobile devices to conduct sensitive activities such as online banking, new variants of mobile malware increased by 54% in 2018, yet mobile users still do not adequately protect their mobile devices from malware. Security software from reputable vendors should be installed on mobile devices, and such software should be updated periodically.
Avoid browsing questionable websites
Compromised or known-malicious websites is one of the main avenues for propagating malware infections on mobile devices or computers. Limiting browsing activity to reputable websites and avoiding questionable websites reduces the possibility of malware infections on mobile devices or computers, otherwise known as ‘drive-by downloads’.
Only download reputable mobile applications from legitimate sources
Attempts to stealing banking or other login credentials from mobile devices are also on the rise – a common method being to deceive or coerce individuals to install fake versions of popular mobile applications on the Google Play Store and Apple App Store, or outside these repositories, or have individuals download Trojan mobile applications which purports to perform a purpose (e.g., a function or game), but perform other malicious activities in the background. Limiting the installation of mobile applications to only those found on the Google Play Store and Apple App Store, and those published by reputable software vendors or have positive reviews, will help reduce the risks arising from fake mobile applications.
Exercise caution on social media
Fraud, identity theft, and scams are a big motivator for attackers to connect with individuals – for example, harvesting information based on an individual’s social media presence may allow attackers to impersonate the individual for identity theft, or as a platform to launch social engineering attacks on an individual’s contacts and friends. Be careful of whom you accept as friends and be careful of revealing excessive private information through social media or job posts.
Use different passwords
A recent survey revealed that 59% of respondents, due to a fear of forgetting passwords, use the same password for multiple accounts, and for as long as possible. This practice allows attackers to access an individual’s accounts across various systems, just by compromising a single credential. To minimise risk, it is advisable to use different passwords for different applications and sites (e.g., personal email, corporate network, banking, and social media accounts)
Beware of phishing emails
According to reports, 91% of all attacks begin with a phishing email to an unsuspecting victim. On top of that, 32% of all successful breaches involve the use of phishing techniques. Despite extensive attempts in the media and corporate security programmes over many years to educate users on the dangers of, and methods to spot phishing emails, these attacks remain highly successful. It is advisable to only open attachments when you are expecting them and know what they contain, even if you know the sender.
Be careful when using public wireless networks
Being on a secure connection does not guarantee safety from other malicious users on the same network. When using public wireless networks, use a virtual private network solution and avoid performing sensitive activities, such as online banking and online purchases.
Consciously keep up with current security trends and threats
One of the more popular vulnerabilities published in 2018, Meltdown & Spectre, were reported to have affected virtually every computer system. New vulnerabilities are discovered on a daily basis, and it is important that individuals keep up to date with the latest trends and threats to ensure that remedial action is taken as soon as possible. The difference between being secure and potentially being breached, is often about coming to know of the threats soonest possible, and addressing the issues expediently.
Aside from ‘if, not when’, another popular adage within the cybersecurity community is that humans ‘are the weakest link’ in security. The eight recommendations above, while not new, are unfortunately rarely practiced by the common user. In order to stay safe online, both in our private and professional lives, and concurrently reduce risk to our organisations, maintaining good cyber hygiene has become pivotal and an essential first step in combating cyber threats.
The views and opinions expressed in this article are those of Ho Siew Kei, Executive Director, Risk Advisory – Cyber Risk, Deloitte Malaysia.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms and their affiliated entities are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax & legal and related services. Our global network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organisation”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 312,000 people make an impact that matters at www.deloitte.com.
Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Ho Chi Minh City, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Shanghai, Singapore, Sydney, Taipei, Tokyo and Yangon.
About Deloitte Malaysia
In Malaysia, services are provided by Deloitte PLT (LLP0010145-LCA) (AF0080), a limited liability partnership established under Malaysian law, and its affiliates.
© 2020 Deloitte PLT