Improvements in technology have led to increased connectivity with improvements in security, but have also involved unique vulnerabilities and potential for hackers to access a wide range of information. Particularly problematic to businesses is the potential for a phisher to represent a part of the organization, or a supplier with a business connection to it, as they request organizational information or even funding.
What Are Current Major Risks?
Business managers and employees run the risk of being phished from their work accounts while seemingly doing normal business, only to find that they inadvertently provided company funds or information that could be used to damage the company’s systems or even their reputation. This creates new demand for organizational and network security processes and defenses, with phishing, internet-of-things (IoT) security, and general WPA2 hacking being among the greatest current threats to major organizations, small businesses, and individuals alike.
Phishing internally can lead to thousands or even millions of dollars accidentally provided or outright stolen after the critical information is inadvertently provided. An individual can create an email using some phishing technique to hide, mask, or otherwise misrepresent their actual identity while claiming to be an active member, supplier, or some other legitimate affiliate of the organization. The recipient may receive a SharePoint document link that is hyperlinked to malware capable of hacking or damaging system software, and while being directed to a login screen or invoice to request funds or sensitive information to be further misused.
Hackers have the potential to work around even the most advanced anti-phishing filters, using tactics such as reducing the triggering text to a font size of zero to avoid detection. This allows them to pass the filters with how the data is read while displaying apparently legitimate communications and requests to an organizational manager or employee.
According to the Business Owner’s Guide to Technology, these instances have been common. The reporters cited two recent instances of tens of thousands of dollars being accidentally sent amid a phishing campaign. This campaign went beyond the fake login screen to record credentials in attempts to involve phony invoices as well. There have been cases where millions of dollars were lost through a similar approach.
Another major risk that organizations have, amid a false sense of security, is the size of their network in their maintained IoT. While it has become common for tablet devices, personal laptops, mobile phones, and other devices to be used within a business network for increased internet connectivity and email, it is also becoming more common for hackers to use their own devices to access information. This can potentially be done internally or externally, creating a demand for increased security or upgrading beyond vulnerabilities in the WPA2 security protocol. This issue follows along the lines of phishing potentials in terms of general security vulnerabilities that are the greatest threat to large businesses, small businesses, and individuals alike.
WPA2 hacking, in general, has become more effective, as the protocol itself has been upgraded and developed for security vulnerabilities realized to demand a completely new protocol, WPA3.
Inc. explained that hackers may very well have preferences for businesses, due to the probability that at least some bit of useable information can be recorded from the network. While managers and even network administrators may assume that the most recent mainstream releases of security software and protocol recommendations are enough to protect them, hackers continue to work against these, demanding that upgrades and software that have yet to become mainstream be implemented. This, therefore, demands ongoing research and dedication to optimizing network security.
What Other Specific Recommendations Are There For General Risks?
Beyond general best practices and the issues listed above, experts continue to make recommendations for the optimization of security. To optimize defenses against phishing, a combination of proactive awareness campaigns of recent threats and optimizing the use of available security features is all experts can recommend avoiding inadvertent user cooperation.
To optimize defenses against WPA2 hacking, if transfer to the now-available WPA3 is not possible or deemed sufficiently feasible, minimizing network accessibility to essential job functions or requirements only for all users, while maximizing all relevant security, is recommended. Multi-step user authentications can help against both phishing and hacking attempts.
Other issues are not as commonplace or severe, but are still regarded as important. Network owners are advised to watch out for privilege escalations, which hackers may use in an attempt to gain increasing access to information once they have breached the network to any extent. Maintaining control though rootkit detection is also recommended, as are methods to scan activities and ‘backdoors’ for forms of malware left by hackers who may have been able to remove their event logs before installing their own backdoor access.
As a final measure, taking extra steps to ensure that all employees are actually operating in compliance with security protocols is recommended, as many organizational managers may not even be aware of the extent of shortcuts or vulnerabilities they effectively allow for the sake of convenience. Purple Griffon is one online source that has compiled additional details regarding these potential threats and recommended protective actions.
What’s Most Important?
Ensuring compliance and best practices against phishing
Advanced anti-phishing protection (ATP) or related software
Network security optimization or WPA3 integration
Remaining current with news, research, and developments
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.