Headlines about cyber-threats are endless
Twitter and its employees were recently hacked in a cyberattack that ended up gaining access to the profiles of Barack Obama, Kanye West and other celebrity bigshots. TikTok has been in the national spotlight as it becomes an increasingly popular social app, yet even experts don’t know where all of the user data is going. What they do know is TikTok is ripe for a nefarious data breach.
While these are just two of the more prominent cybersecurity cases in recent memory, they serve as an important reminder that even with all else going on in the world (a rampant viral pandemic and struggling economy), cyber-criminals are still out there.
Though not solely to blame, part of this issue is the country’s sudden and large-scale shift to work from home in the wake of COVID-19. Big corporations and small business owners alike were all faced with the same challenge: transition employees to work remotely and do it fast.
At Better Business Bureau Northwest + Pacific, we’ve been pleased to hear many business owners were able to handle this with tact. But that doesn’t mean it was without risk. In fact, since the start of COVID-19, there has been a 20% spike in cyber-fraud, according to fraud-prevention platform Arkose Labs.
Scammers and hackers like risk because if often translates into vulnerability. Even with so much else on their plates, business owners must remain vigilant when it comes to their data and cybersecurity posture.
Be Careful What You Click
One of the most common scams that leads to hacks is employee email phishing.
“Criminals are very good at surveying the landscape to determine which areas or regions are most vulnerable,” said University of Hawaii Chief Information Security Officer Jodi Ito. “We haven’t seen new techniques since the start of COVID, but we have seen cyber-criminals getting better at creating backstories to impersonate someone else. They also have a lot more information about the target recipient to make [the scam] seem more legitimate.”
What Ito is describing is better known as an imposter scam, and it’s an extremely successful way for cyber-criminals to gain access to employees’ personally identifiable information, as well as sensitive business data. In most cases, unknowing employees click on a malicious link that they think came from someone inside their organization. But that link compromises the device, leaving the business open to malware and ransomware attacks.
The reason these attacks are working more often is due to the believability of the imposter email or message itself. But where are bad actors getting this data? How do they know so much about you, or your boss?
Read the Terms & Conditions
Let’s go back to TikTok for a moment. TikTok collects 125 pages of user data within the first nine seconds of opening the app. This includes things like your IP address, your browser history, your behavioral data, and information from other third-party social media profiles. Now, while we don’t know exactly where that data goes (because it’s a Chines app, not a U.S. app), we do know this level of data harvesting is seen across the board at Facebook, Netflix and Amazon, to name a few.
When we agree to the terms and conditions of these (and many, many other apps) we are consenting to a certain level of data sharing. This data is then used in a bevy of ways, including but certainly not limited to:
- Showing us tailored advertisements or movie content
- Selling access to our newsfeeds to third parties (not access to the hard data itself)
- Trading data with other tech giants (as publicized in 2018)
- Aggregating to create buyer personas
Not every app or tech company uses data in the same way. But yes, oftentimes your data is shared, despite such practices coming under heavy scrutiny in recent years. And sometimes giants (like Facebook) come under fire for having more intrusive access to personal information than users thought they agreed to.
Still, all of the above barely scratches the surface about the intimate ways in which our data is used to paint a picture of us as consumers, as voters and as employees. The point is this: Data privacy is an omnipresent issue, and when that data gets into the wrong hands, it becomes easier to scam people. Data security company Varonis shared that 71% of breaches are financially motivated and 25% are motivated by espionage.
“Consumers should be very careful – read the terms and conditions to learn more about how your data is being shared and who has access to it," Ito asserted.
Understand Where You Are in the Supply Chain
In the era of COVID-19, the type of information we are giving out is also of concern to cybersecurity experts because it’s health-related and is being used for critical research.
Ito says she and her colleagues see a budding cyber-threat: universities, research facilities and labs becoming prime targets for a breach.
“These entities are being targeted by other nations for their COVID-19 research data,” Ito said. “They want to be the first in the race to develop a treatment or a vaccine, and they want to do it without having to do the base research on their own. They try to steal it instead. If they can get to market even one week ahead of their rivals, that’s a huge gain.”
Such information was already breached at the University of California, which confirmed in June it had to pay $1 million in ransomware to a hacker gang called Netwalker.
Ito added, however, that smaller companies within the supply chain of medical research or defense for COVID-19 are at risk for similar hacks.
As we always stress at Better Business Bureau, there is no such thing as being too small to be hacked. In fact, 43% of cyber-attacks annually are small businesses, according to Verizon.
Cyber-criminals don’t just go after the big guys. It is imperative, now more than ever, for business owners to educate employees, remain on guard and update their cyber-hygiene policies in the new normal.
For more information on cybersecurity, visit BBB.org/cybersecurity.