2020 was a challenging year for cybersecurity. In the midst of an unprecedented global pandemic, we saw cybercriminals stoop to new lows, targeting hospitals and impersonating governments to steal social support cheques. And despite positive developments, all signs point to a tough year ahead. With that in mind, I recently was asked this question: What do you think is the biggest cyber threat for 2021?
That’s right. It’s not sinister nation-state actors or destructive ransomware. The biggest threat to cybersecurity is burnout. As many of us stare down a long Zoom tunnel every week, it’s far too easy to get complacent. At the same time, constant fear-mongering about cyber breaches can scare employees and eventually become noise. This cyber fatigue is dangerous because people end up ignoring it. And that’s exactly when mistakes can happen.
The good news is that protecting your company from cybercriminals is straightforward. You don’t have to be scared. You just have to stay vigilant. In this article, I’ll debunk some common myths about cyber threats and tell you what you can do to protect your company during 2021.
Debunking Myths About Cyber Threats
In recent months, I’ve noticed a disturbing trend of fear-mongering about cybersecurity. While it’s good to stay in-the-know about cyber threats, doomsday thinking is rarely productive. Here are a few things I’ve heard, and why I think you can use your mental energy elsewhere:
#1 Nation-states are sponsoring sophisticated hacks like SolarWinds!
While it’s terrifying and grabs headlines, advanced threats are a very small percentage — less than 4% — of cyber breaches, according to the 2020 Verizon DBIR. Nation-state actors are much more likely to target critical infrastructure, specifically the health, telecommunication, or energy sectors. Chances are that the 1000+ state-sponsored hackers who took part in the SolarWinds campaign do not consider your organization a key target.
#2 Military-grade cyber weapons are in the hands of common criminals!
Yes, there have absolutely been some devastating breaches of hacking tools. However, when new hacking techniques are detected, software developers are quick to patch the vulnerabilities, and security researchers publish detection signatures. Discovering a “zero-day” (previously undetected) exploit is worth up to $2 million USD when sold to vulnerability research companies! Every time malicious hackers use powerful new tools, they risk being detected and having to “burn” the asset. Therefore, there’s no incentive at all for cybercriminals to use the newest, most sophisticated tools against anything but the highest value targets. For less sophisticated threat actors, most of their attacks can be prevented with frequent updating/patching of your software.
#3 Ransomware is booming and will lock up all your files!
Okay, this one is fair. Ransomware is definitely on the rise, and will most likely result in record cyber insurance claims for 2020, though the numbers are still coming in. However, mitigating this threat is squarely in your control, since you’ve been making (and testing) backups of all your critical data… right?
Staying Vigilant and Avoiding Cyber Fatigue
Making and testing backups is just one of the ways you can play offense and avoid cyber vulnerabilities. And the good news? It’s pretty straightforward. When it comes to cyber events, usually the culprit is not sophisticated hacking teams from Russia or China. It’s human error. That’s why fatigue can be so dangerous. And believe me, I get it. 2020 was a tire fire of a year. Many of us are working more hours than ever before and juggling challenging family situations. But we shouldn’t let our guard down. Here are three practical actions organizations can implement to be more secure, with little user impact:
#1 Use a password manager.
Over a third of credential theft breaches use stolen or weak credentials. A password manager is a software that stores passwords for all your different accounts, so you only have to remember one strong “master password.” There are free options available for the price-conscious. You really shouldn’t be reusing passwords, because if your credentials are stolen, you will have multiple accounts compromised.
#2 Enable multi-factor authentication (MFA) wherever possible.
Especially if you are using a password manager (one key to rule them all), you need to layer in as much protection as possible. Usability for MFA has greatly improved to the point where you often just need to click “Yes” on your phone for that second level of authorization. With MFA in place, your master password will be protected against 99.9% of account compromise attacks.
#3 Make cybersecurity awareness training a corporate priority.
Your employees are the best protection you have against hackers, and you want them to stay mindful of cybersecurity. For instance, if someone asks them for their credit card number or wire account information, they should ask why do they need that number? When anything seems strange or out of place, they should feel comfortable flagging it to the security team.
Focus on making things easier for your employees, and lower user friction on security practices. If you’re not sure where to start, check out the Startup 7, my list of cybersecurity fundamentals for startups. Switch things up if your employees need a refresher. For example, this year we switched our cybersecurity awareness platform provider to a new one. There was nothing wrong with the previous company, but it’s good to keep things fresh. Also, it’s a good idea to run phishing simulations to keep your team extra sharp, since over two-thirds of cyber breaches are caused by credential theft, errors, and social attacks.
No matter how scary cyberthreats may seem, the sky isn’t falling. There are cybersecurity professionals working non-stop behind the scenes on making the world safer. Things are going to be okay, so for now let’s stay calm and vigilant and take reasonable precautions. Hopefully, we can soon worry about staying cyber safe while traveling again! You always use a VPN when accessing public WiFi in an airport or hotel, right?