The more cyber aware we are, the more we can mitigate risks in both our work and personal lives, explains Shelagh Donnelly
Cybercrime Is in the News Almost as Frequently as COVID
It seems not a day goes by lately without reading or seeing a news report of another cyber breach. As I write this, it’s difficult to gauge which continues to generate more media coverage: COVID-19 or cybersecurity.
Think back a few weeks. Many were rocked by word of a cyber breach of America’s largest gas pipeline operator, Colonial Pipeline Co. The ransomware attack shut critical conduits used to deliver fuel from Gulf Coast refineries to Southeast US markets. In turn, that shutdown led to fuel shortages across the East Coast – just as Americans approached their Memorial Day weekend. With shortages came reports of panic buying and price spikes.
Even more recently, a separate ransomware attack led the globe’s largest meat producer to shut down all its American plant operations – and to reduce or idle operations in Australia and Canada. JBS S.A., a Brazilian company, supplies almost 25% of the US market. As with some of those filling their tanks in the US, consumers in different countries would be wise to anticipate price increases as one consequence of the breach.
The Colonial Breach Involved a Single Password
In June 2021, Colonial’s CEO spoke before a US Senate committee, which convened a panel to examine threats to critical US infrastructure. I watched a portion of this session, in which the CEO told senators the hackers accessed Colonial’s system by stealing a single password. The CEO took care to state that the password in question was complicated. It came down to the absence of what’s known as two-factor authentication (2FA), which some refer to as Multi-Factor Authentication (MFA).
An Ongoing Focus on Awareness, Since Tactics Evolve
We need to be concerned about such breaches, regardless of the country in which we live.
I’ve been speaking about cybersecurity at conferences, for corporate audiences, and in webinars for some time now, and the problem is not going away. It’s escalating and evolving. Cybersecurity is a major problem, economically and otherwise.
Our focus on cyber awareness needs to be an ongoing process, simply because cybercrime is continually escalating and evolving. Hackers continue to change and up their game, and their approaches are increasingly sophisticated.
It’s not uncommon, when I present on how to mitigate cyber risks, for people to come up to me at the end of our session and relate how family members or friends have been personally impacted by cybercrime. While a significant portion of these tales relate to older family members who’ve been swindled and are then too mortified to tell their children (let alone police) about a crime for months on end, I’ve also heard about colleagues who made inappropriate use of employer hardware that led to breaches.
I tell you this, and speak on cybersecurity, not to frighten you. I do so – and continually keep an eye out for the latest on cybercrime – because the more aware we are, the more we can mitigate risks. Rather than being alarmed, we can focus on being aware of evolving tactics and mitigation strategies.
No Sector, Employer or Individual Is Immune
The breaches at Colonial and JBS are but two of the latest. If I was to present you a list of known breaches, it would more than fill the pages of this magazine. Cities large and small have been attacked, as have healthcare organisations, education and government entities, high profile organisations and small employers alike. Those at the helm of some cities and institutions choose to pay ransomware demands and hope for the best, while others instead spend millions to restore their computer networks.
The JBS breach is not unique within the food sector. We’re told there have been in excess of 40 publicly reported ransomware attacks against food companies since May 2020. You’ll note the term ‘publicly reported’. That’s because many choose to keep cyber breaches as quiet as possible.
Nor is any sector or employer immune. Respected cybersecurity services firm Herjavec Group recently identified victims of data leak ransomware operations over the first half of 2021. The sectors include manufactured goods, followed by technology and technology service providers, public sector and legal services, finance, healthcare, education, entertainment and energy. Bloomberg News has reported on the significant financial pain hacks have inflicted upon technology, retail and healthcare “giants”.
Cybercrime, COVID and Ransomware
If you’ve attended any of my webinars in the last year or so, you’ve likely heard me caution that cybercriminals have been having a field day during the COVID-19 pandemic. Ransomware attacks have become even more sophisticated and targeted in the first two fiscal quarters of 2021.
What about the costs? They’ve also shot up. Herjavec Group reported that the average 2021 cost of recovery and ransom related to a ransomware attack is double the average 2020 ransom demand.
Then there’s the extent of breaches. Consider a Bloomberg report updated on May 18, 2021. It stated that, since January 2020, 774 million records have been exposed through breaches of 58 corporate, government and non-profit organisations. Knowing that 774 million records have been exposed in the space of less than 17 months is staggering. It’s all the more noteworthy knowing that this whopping number reflects breaches within only 58 organisations.
Assistants and Cybercrime
Assistants are aware cybercrime is an issue of concern. Through my Weekend Polls over the course of four consecutive years (the 2021 poll will be underway or complete by the time you read this), I’ve asked readers about their cybersecurity awareness. Last summer, a whopping 70% said they were aware of cybersecurity breaches having occurred at their current or prior places of employment.
In total, 69% of respondents said they were very concerned about cybersecurity in the workplace and 51% felt the same way about cybersecurity in their personal lives.
While 72% of respondents said they’d increased attention to and care of cybersecurity given the pandemic and the increase in remote work environments, I suggest it’s helpful to pay increased attention to the passwords we use. It’s not uncommon for people to use the same password or passphrase for more than one work account or login, and that’s the case for 43% of the assistants who responded to my last poll on the topic.
When speaking to assistants about cybersecurity, I caution against the intertwining of personal and business data. When we use even a single piece of hardware for both personal and career purposes, a breach of data on that hardware has potential to impact both aspects of our lives.
Personal Data Is Being Commoditized
Apart from the potential of seeing our business and personal lives colliding through a breach, we need to be mindful that the rate at which our personal data is being commoditized is on the rise. In my presentations on post-pandemic careers and on IR4.0, the Fourth Industrial Revolution, and what digitization means for assistants, I’ve referred to data as the new oil.
Well, that’s particularly true when it comes to biotech, or biotechnology. I was struck by a headline and report earlier this year entitled “Companies and Foreign Countries Vying for Your DNA”. I watched the related interview and read reports that the US military has now warned all service members against using direct-to-consumer genealogy tests. CBS and 60 Minutes reported the military’s concern that such tests are largely unregulated, that “…outside parties are exploiting the use of genetic data” and “the DNA data collected could be exposed or exploited”.
When online, whatever the hardware and network you’re using, be aware of inadvertent or seemingly innocuous browsing and other habits that expose our personal data to risk.
In late spring and early summer 2021, you may have seen new, modified versions of a few friends’ faces on social media. It’s not that these people have been heading for plastic surgery en masse. Rather, photo manipulation app Voilà has gone viral and people have been using technology to create cartoon-like and other variations of photos of our faces.
Technology provides multiple opportunities for fun as well as business and education, yet it’s good to exercise caution when it comes to certain seemingly innocuous links and games. There are numerous social media posts with “opportunities” to see what you’ll look like at 60, which well-known person you purportedly resemble, your personal characteristics, or some other factoid about yourself.
Like Cotton Candy
On the surface, many of these games are somewhat like cotton candy – a bit of fluff that seems like fun, yet we don’t really need. In fact, we may later regret having indulged. Should you choose to play these online games or have fun with photos, be mindful. Invest the time into reading the terms and conditions associated with any such activity.
The same is true with any resource you download. We should make a practice of being mindful of how our personal data can be commoditized or otherwise used. Do you know, when you enter your photo in this age of facial recognition, who will then have access to it? With one app I recently downloaded (and subsequently removed after limited use), the fine print read, “This Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile internet browser you use, unique device identifiers and other diagnostic data”.
We also want to be aware that the data we provide when downloading an app or other resource can be outsourced by app or product providers – and, as mentioned above, no individual or organisation is immune to cyber breaches.
About All Those Passwords and Passphrases
I mentioned that 43% of respondents to my Weekend Poll told me they use the same password or passphrase for more than one work account or login. When I provide cybersecurity training, I share tips on mitigating the risk of a cyber breach through thoughtful use of passwords or – even better – passphrases.
We all know what a pain it can be to not only create, but also remember, multiple passwords for both personal and business use. It’s unsurprising that people use the same passwords for multiple accounts, and it’s also unsurprising when we forget one and need to reset it! Others turn to password apps, which can be handy. Again, it comes down to doing our research and consulting with our IT colleagues.
Now, there’s another approach on the horizon. In late June 2021, Transmit Security generated an incredible response to its initial price offering (IPO). The company, which is experiencing accelerations in its business, is planning to go public and raised an impressive $543 million in Series A funding.
What’s the appeal? Transmit Security uses biometrics – facial recognition and fingerprints – in lieu of all those cumbersome passwords. Biometrics are nothing new; the laptop I bought in 2018 gives me the option of recognising my eyes rather than me having to enter a password as I log on.
This company, though, is offering “passwordless authentication” as it modernizes what’s known as the identity space. Just as we deal with multiple passwords at home and in our careers, we also deal with a barrage of acronyms. When you think of how the Colonial Pipeline breach involved a single password, however, here’s an acronym we could grow to love: PWA, also known as Passwordless Workforce Authentication!