Co-Founder and COO of 42Gears, a unified endpoint management vendor loved by customers worldwide.
The Twitter compromise that took place in July of this year might seem like it came out of nowhere, but this isn’t true. In fact, security threats are everywhere and target everyone.
The media reports on high-profile exploits but less so on the thousands of daily scams and threats that average workers face monthly. The challenges that go unreported are arguably more important than newsworthy ones. After all, the victims of low-profile threats likely don’t have the resources necessary to recover from a compromise the way Bill Gates likely does.
We all know about classic scams and their ludicrous demands, like paying back taxes via iTunes gift cards or wiring money to mysterious foreign dignitaries. But modern scams are much more clever, and even some of the savviest workers might fall for them.
The Linux enterprise platform Red Hat breaks down threats into two halves, and I think it’s a useful framework. One part is the “payload” or the malicious code being conveyed. The other part is the “delivery system” — the vector used to infiltrate an organization and deliver the payload.
Here are a few of the most concerning delivery systems and payloads to which businesses can fall victim in 2020. You might not hear about them in the news, but you absolutely need to know about them.
Three Ways Malicious Software Enters Your Organization
1. Email phishing
No one wants to miss an important message from a manager or boss. This can unfortunately be used against employees by unscrupulous third parties who know an employee’s first name.
Most email clients are able to filter these messages through to spam, but as anyone who has ever had an important email go to spam knows, this doesn’t automatically mean it is fake.
2. Text phishing
Businesses typically favor emails over texts for important communications, but if you allow employees to use phones at work, those phones also become prime targets for phishing. Texts with malicious links may take the form of coupons for popular stores, updates about purchases the user never made and more.
Given the near-infinite range of phone numbers available to scammers, workers cannot simply block a number and be rid of the scam. Text phishing requires workers to always remain vigilant anywhere they use a smartphone tied to work — even at home.
3. Social hacking
Not all threats manifest through code manipulation. If someone can identify flaws in an organization’s protocols, that person can manipulate others to obtain sensitive information. As an example, in 2015, teenagers exploited Verizon Wireless employees to gain access to then-CIA-director John Brennan’s private email account.
This is why top security certifications like the ISO/IEC 27001:2013 focus on protocol and secure communication alongside basic data security. To be truly secure, an organization needs to keep both its data and its employees safe from exploitation.
Three Kinds Of Payloads To Protect Against
Security experts often speak about malware in terms of what it costs companies to fix the issue, but ransomware makes this much more literal. In a ransomware attack, victims’ data becomes encrypted and inaccessible, unless the victims complete some action — typically, paying a sizable ransom.
Ransomware often asks for money but other untraditional conditions have been stipulated. In the 2010s, someone created a joke ransomware program that mandated users earn a high score in a specific video game to retrieve their files. Other people began spreading the program maliciously, resulting in many users who had no way to feasibly retrieve their data.
Spyware doesn’t steal pre-existing data but listens in on everything the user does after a device is infected. This is typically associated with laptop keyboard loggers and other activity trackers, but is by no means limited to computers. High-profile compromises include a prominent food self-service kiosk provider, resulting in the biometric data of potentially over a million customers being leaked.
3. Cryptomining malware
While cryptocurrency often fluctuates massively in value, no one would turn down receiving it for free. That’s exactly why cryptocurrency mining is so popular and why hackers hijack compromised devices for mining.
Because there is no central authority for Bitcoin, for example, anyone who offers their processing power to administer Bitcoin transactions can earn “free” Bitcoin as compensation. The more processing power you have, the easier it is to earn Bitcoin. Employees may find their computers sluggish, unaware that the missing processing power is helping someone off-site mine cryptocurrencies.
Workplace threats no longer need to strike in the workplace. With smartphones and other devices workers take home with them, compromises can happen anywhere. For this reason, it’s essential to manage worker devices, whether the worker or the company owns them. Choosing a good mobile device management solution is a major step toward keeping your company safe.
Even though I’ve explored some specific threats, I want to clarify that businesses need to prepare for anything. If you only prepare for the threats I’ve mentioned, you will be caught off-guard by dozens of potential payloads and delivery systems. Your security infrastructure cannot be built around one specific threat. In order to protect your business assets and reputation, you need to plan and execute a forward-looking, comprehensive security strategy.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?