Where there’s sensitive information, there will be people who seek to exploit it. In an increasingly digital world, criminals are trading in their lock-picking tools for sophisticated digital techniques that aim to gain access to sensitive data with malicious intent.
The good news is there are easy ways to protect yourself and your data. To better understand the most common cybersecurity threats and what you can do to protect yourself, we sat down with Cayuse Chief Information Officer John Nord.
What are the most common forms of cybersecurity threats?
There are a number of evolving cybersecurity threats out there, but the most common that we see revolve around:
- Phishing/smishing: Sending fraudulent emails or text messages to trick recipients into divulging personal information, such as passwords or credit card numbers.
- Ransomware (malware): a type of malicious software designed to block access to a computer system until a sum of money is paid.
- Zero day vulnerabilities: A weakness in a software program that has been discovered by a cybercriminal and exploited. It is termed “zero day” because the cyberattack occurs when the vulnerability is discovered.
What is phishing and how can research professionals protect themselves?
Phishing attacks accounted for 90% of data breaches in 2021, according to Cisco’s 2021 Cyber Security Threat Trends report.
There are a number of types of phishing attacks that we need to be aware of and not all come through email. These include:
- Spear Phishing
Phishing, generally, involves a wide spread email attack that attempts to get the recipient to click on a hyperlink or perform some other action with the intent to compromise our information, typically a username and password. There is almost always a sense of urgency to the message, designed to trigger our human emotions of protecting ourselves or our information. This urgency is actually one of the warning signs that the message may be an attempt to compromise our information. In bulk phishing attempts, there often are grammatical errors in the message. Additionally, the hyperlinked text will direct the recipient to an unknown or unrelated site. The URL may even look very similar to what the recipient expects, but with a minor spelling error. This is a red flag. The best way to ensure a legit link is to hover over the hyperlinked text and verify the URL.
Spear phishing is the more dangerous variant of phishing. With spear phishing, the attacker conducts research on the individual and creates highly customized messages. They may try to build trust by misrepresenting themselves as someone the recipient knows (e.g., colleague). For example, the attacker may send an email using a familiar name from the same company, but with the name slightly misspelled. At first glance, the message may seem legit, but upon closer examination, you’ll notice that the sender name or return email address is incorrect, or that an embedded link redirects to an unknown or suspicious site. Typically, spear fishing is targeted toward high-profile individuals and executives.
Smishing has started to increase in popularity in recent years. Whereas phishing attacks occur via email, smishing uses our mobile phones in the form of text messages. The same tactics apply. The attacker sends a text message with a malicious link in an attempt to get the recipient to click. These types of attacks often mimic someone important at the company, such as the CEO, and ask you to do them a favor, like purchasing gift cards, as one example. The same precautions should be taken with our text messages as with emails–follow-up with the individual to verify if the request is legitimate or not.
Vishing is not as common and often is part of a more concerted attack on an organization. This is the oldest form of social engineering. In the event of a vishing attack, the intended target will receive a phone call from someone impersonating someone else to get the individual to divulge sensitive information, usually by playing on your human emotions. It’s important to always be careful about what you are giving away on phone calls and double-check everything.
What is Cayuse doing to protect customers from cybercriminals?
Cayuse takes a multi-faceted approach to protect our systems from various types of cybersecurity threats. Educating our staff on the latest trends and threats on a regular basis, is one effective way to minimize the possibility of falling for any of the phishing, smishing, or vishing attacks we already discussed. We follow a three step process in our security program:
The prevent step layers on multiple security tools and controls to stop an attack or threat from happening in the Cayuse environment. We are constantly reviewing and assessing the effectiveness of these tools and controls to ensure we remain current with safety protocols to protect against existing threats. Cayuse conducts annual security awareness and job-specific security training throughout the year. We also conduct phishing tests to ensure our users are educated against the threats, which in turn, helps us minimize risk.
The isolate step is our next line of defense where we actively strive to limit the damage of an attack that penetrates our prevent layer. We have a multi-pronged approach that focuses on privilege access management and zero trust network architecture to help with some of our isolation activities. The ultimate goal is to limit the attack surface that impacts our internal and customer-facing environments.
The recover step involves the steps to get back to normal after an attack event or even a remediation effort for a vulnerability. We have an incident response policy and process that we follow that helps us remediate the issue and hand it over to our disaster recovery and business continuity plans. At the end of all of these activities, we conduct root cause analyses and mitigate the issue from there.
What advice would you give to research teams who want to level up their security measures?
Understand what you hope to accomplish. There is not a single solution that will solve all of our security concerns. Be wary of any company that tries to pitch an all-encompassing security solution. A few key questions and actions to consider, include:
- What do we need to comply with? What do the regulations and security frameworks associated with those compliance areas say?
- What is our overall risk appetite as an organization? How much risk can/should we accept and stay in compliance with the previous answers?
- Make sure you have an up-to-date asset inventory. You can’t protect assets that you don’t know exist.
- Develop a security cadence for critical activities. You need to conduct security activities monthly, quarterly, and annually to keep your security protections up to date. Get those items on a schedule and assign them to the appropriate areas to complete.
- Develop a Security Education, Training, and Awareness (SETA) program. Train your end users and your technical staff to do things right and make them aware of security threats. Annual training for everyone, tailored training by department, and regular “newsletters” on recent trends and threats is a good place to start.
The more you know, the safer your data.
At Cayuse, we manage billions of dollars of data for research institutions around the world. Our customers rely on us to ensure not only easier access to and management of their data, but also security of that data. This is a responsibility we don’t take lightly. We take a no-nonsense approach to cybersecurity with a keen understanding of the evolving nature of cybersecurity threats.
To learn more about our commitment to cybersecurity, visit: https://cayuse.com/trust/.