Workplaces are full of metaphorical landmines, real and imagined. Staffers must navigate unrealistic project deadlines, bosses saying one thing but meaning another, intra-office politics. But a common problem spot appears much more innocent: an email.
Workplaces are full of metaphorical landmines, real and imagined. Staffers must navigate unrealistic project deadlines, bosses saying one thing but meaning another, intra-office politics. But a common problem spot appears much more innocent: an email.
Opening a seemingly OK but nonetheless infected email can open a Pandora’s box of costly-to-fix malware that can cripple any organization.
And the range of malware — whether it’s adware, phishing, spyware, viruses, worms, Trojan horses, Rootkit, backdoors, keyloggers, ransomware, browser hijackers or some other type — is constantly growing. The best estimates peg the average day seeing 325,000 new bits of malware being created. As recently as 2007, the figure was 15,000 to 20,000.
“I think it’s important to get across to people that, hey, no matter what our business is, what we do or how big or how small we are, everybody is really at risk, even if we get sort of this collateral damage and by accident they find their way into our environment,” Mark Villinski, part of the corporate marketing group at Kaspersky Lab, said at the recent Interface conference in Salt Lake City.
The idea that cybersecurity risk is omnipresent is symbolized by a data breach at a pizza shop in Portland, Maine, where hackers stole about 900 customers’ credit card numbers at point-of-sale (POS) devices at checkout.
“If the pizza shop down the street from your house can get malware on their POS machine, I think it’s a good example that really this can happen to anybody. … And the more we can get our environments thinking or looking for a general awareness like that, we’re just a little better off,” Villinski said at the event, part of a nationwide conference series for IT professionals focusing on the latest developments in information security, IT infrastructure and communications.
Villinski said companies can take several actions to try to prevent malware woes. Most of them focus on educating employees — and executives — about the scope and potential severity of the problem.
“If we can only get one or two folks, or maybe that ‘common man’ person, in your organizations a little more on board with you and [be] a little more of active participants in security, if you will, we’ll be a little bit better off,” he told the crowd.
“The decks are stacked against us. As we think about Internet companies like yourselves spending thousands of dollars or maybe hundreds of thousands of dollars on security, in a lot of cases the bad guys who write their malware and stuff are literally spending nothing or maybe $50 or $100 for an exploit kit off the Internet. There’s quite an imbalance, and we’re really up against it.”
Statistics reflect the imbalance and likelihood of trouble. Every minute, 350 gigabytes of data are uploaded to Facebook, as are 104,000 Snapchats. About 570 websites are coming online each minute.
“Lots of those [are] built by good people with good intentions but possibly a little poorly designed, giving the bad guys many avenues to get out to us and our employees, and lots of those [are] built by bad people with bad intentions for the explicit purpose of having more avenues and opportunities to get out to us," Villinski said. “And there is a lot of bad going on.”
A worldwide survey in 2014 by Kaspersky indicated that most respondents had been hit by spam and malware, and 94 percent reported being cyber-attacked within the past 12 months — up 3 percent year over year. While only 12 percent reported being victims of a targeted attack, that figure likewise was up 3 percent.
In that same survey, nearly 27 percent of companies said they lost confidential data as a result of an internal security incident, and the average cost for accidental data leaks was $39,000 for small businesses and $884,000 for enterprise operations.
The proliferation of malware has seen exponential growth. In 1994, one new malware was created daily, but by 2006 it was one per minute, 2011 it was one per second. Now it’s about 325,000 pieces per day. And more malware has been created the past two years than in the previous 10 years combined, he said.
“Everything there is predicated on humans making mistakes or being tricked, or, in some cases, following proper procedure and being safe and still it was an area being compromised,” he said.
But there is hope. The chances of infection drop if companies invest in people, products are services aimed at keeping the bad stuff out.
“If we think of the hacker out there like that bear, nipping at the feet of the people at the back of the pack, if you can get one, two, three employees just a little bit more security-aware, to maybe not click on that link or something, maybe similar to the bear moving on the next-closest guy, the bad guy is going to stop wasting time in your environment. He’s going to move on to the next one,” Villinski said.
Among tips Villinski suggested to address malware threats are:
• Talking to employees about cybersecurity and malware’s potential impact on company operations. Having employees sign a “I have read and understand company IT policies” form is not good enough, he added. Regular testing of employees’ knowledge of the matter helps, especially if the company makes it fun and/or rewarding.
• Remembering that top management and IT staffers are employees, too, and often are great targets for attacks.
• Having employees understand that their organizations cannot create policies sophisticated enough to cover all possible attacks.
• Having companies realize that their employees are humans and therefore have weaknesses and make mistakes.
• Having companies never disapprove or make fun of an employee who raises a cybersecurity red flag, even if it’s a false alarm.
• Listening to feedback from employees about security systems. If companies force employees to change their passwords weekly or make access to information too complicated, it can lead to employees bypassing the restrictions, likely making the company even more vulnerable to attacks.
• Understanding that a cybercriminal almost never looks like one. Some cyber-incidents start with a phone conversation with someone who poses as a coworker who builds his understanding of a company’s internal structure and operations by asking innocent questions. Some can occur with, say, a person gaining entry to a workplace, leaving infected USB drives throughout the building and swiping unattended mobile devices left on desks.
Read more:The Enterprise - FOCUS Digital security in the modern workplace