05 May 2016

Changing Trends in Cyber Security

In the past, for individuals and small businesses, cyber security was important to mitigate the inconvenience of spam, viruses that required restoring back-ups of corrupt files, and letters to credit bureaus to clear up identity theft issues.

While painful, the cost of these was generally in the hundreds of dollars and perhaps a few hours of inconvenience.

Today, we see a convergence of trends that is changing the dynamics of cyber security for individuals and small businesses.

  • Individuals and small businesses have become habituated to the convenience of online services and apps which require a low level of user sophistication.
  • With increasing volumes of high value transactions exchanged through electronic channels, Internet criminals are coming up with new ways to intercept the communication or deceive the parties involved, such as researching a target’s contacts and background in sites such as LinkedIn, where they can identify real business relationships and pose as one of them.  (See recent article: Business Email Compromise.)
  • Regulators are focusing on protecting consumer information by enacting cyber security regulations and outsourcing audits, increasing the stakes for regulated industries (i.e. realtors, lawyers, insurance agents, dentists, physician’s offices, investment advisors, accountants) that may be susceptible to a security breach.

In the past, Internet criminals were expert “marketers” who would purchase email addresses, set up internet domains to pretend to be a real company, and then they would bombard users with carefully written emails selling familiar consumer products.

Today, hackers and Internet criminals are far more sophisticated, and are willing to invest more time to research their individual targets. As a consequence, according to the FBI, cyber fraud losses per incident average $6,000 per individual and $130,000 per business, with $1.2 billion reported stolen in the last year.

Consider some basics:

1. Email Encryption Explained in Simple Terms:

We wrote about common email encryption methods in the past, and explained the basics as to what encryption is, in simple terms. We recommend reviewing these articles if you missed them.

If one is encrypting “for compliance”, one might want a service that is secure enough to protect the information in transit (with no storage in the middle).

By contrast, if one is looking to protect strategic interests, one might consider email encryption services that maintain the simplicity of use, but yet keep the messages encrypted in transit and within the sender archive/sent folder as well as the recipient archive/inbox. This protects the sender’s strategic interests such that these messages remain private far into the future regardless of a future breach, and content cannot be culled by the recipient’s email platform while it sits in his or her inbox (i.e. Gmail, Hotmail, Yahoo). RMail “Executive Mode” email encryption is a way of accomplishing this.

2. Digital Signatures:

Technologies to permit recipients to authenticate senders, (i.e. SPF, DKIM, PKI Digital Signatures), while important foundational technologies and essential to prevent traditional threats, have not evolved fast enough to deal with hacker use of social engineering or web-based email programs (note for example, PKI digitally signed email is often not rendered properly in common web-based email programs at the recipient).

Today’s versions of spoofing (sending an email posing as the named email sender), phishing (broadcasting email with links that re-direct to websites posing as those of recognizable brands to lure one into entering passwords which are then stolen), spear-phishing (taking a more targeted approach to “phishing”), and whaling (using research to target higher value individuals with contextual messages to lure bigger hacker prizes) often circumvent these traditional technologies. New technologies like Anti-Whaling security are beginning to address these new threats.

For individuals and small businesses, today’s challenge is to maintain the simplicity of digital communications and transactions, while increasing the protection against these new cyber risks. Armed with just a little more knowledge, users can reduce their exposure to today’s “hacker gold rush”.

We also recommend that you invite your colleagues to subscribe to this Tech Essentials Cyber-security Email Series, offered in partnership with bar, law, real estate, insurance, and other leading industry associations. Click here to subscribe to Tech Essentials.