As the world continues to deal with the COVID-19 pandemic, the worldwide economic shock has dramatically increased the danger and risk of digital threats to independent contractors.
It is vital that contractors take measures to protect themselves from potential cyber crime attacks. Below are three of the most common cyber attacks that can affect contractors, as well as suggestions on how to defend against such attacks.
Phishing is an attempt to steal information such as passwords, banking, or credit card information. Emails and instant messages are used to trick unsuspecting users into providing the information by responding to the message or clicking on a link included in the message.
Once stolen, the information could be used to perform more advanced attacks such as identity theft or could be sold on the dark web. These attacks are now quite sophisticated. The term “spear” phishing refers to attempts focused on specific individuals that appear to be legitimate emails from trusted and known contacts.
To protect against phishing attacks, contractors can:
1. Educate employees on how to identify phishing messages and what procedures to take when a phishing or suspected phishing message is received.
2. Install anti-phishing software with anti-phishing components into email programs such as Outlook. These programs can help filter out phishing emails and messages, and provide alerts to users when a message appears suspicious or high risk.
3. Implement additional verification controls for initiating asset appropriations such as purchase orders or wire transfers. Requiring signed requisition and transfer forms or having additional secondary forms of authorization can help prevent asset loss when a convincing phishing attempt is received.
Malware and Ransomware
In a malware attack, some form of malicious software such as a virus, spyware, keylogger, or Trojan horse are installed onto the user’s computer or system without their knowledge. The code or program is used to steal data, infect other computers, and/or compromise other areas of the organization’s network.
Embedding the malware in an email attachment and getting the user to open it is the most common method used. Malware can also be installed via infected hardware, such as a flash drive or directly from a website.
In a ransomware attack, the company’s network is infected with malware that denies access to files or shutdowns either a part of or the whole IT system. A ransom payment is then required to unlock the files or devices.
Contractors can take the following steps to defend against malware attacks:
1. Maintain updated antivirus software, which can be very effective at preventing a malware attack or detecting an infection before significant damage is done.
2. Maintain constant skepticism of email attachments as it is the most common method used to spread malware. All email attachments must be scanned by an antivirus software prior to opening.
3. Maintain a plan for a malware attack. Despite having strong controls and IT security processes, the risk of someone being subject to a successful malware attack is high. Contractors should review and update disaster recovery plans to account for a potential malware attack and consider purchasing cyber insurance.
Man in the Middle Attack
A Man in the Middle (MITM) attack occurs when the hacker seeks to gain access to a network connection to intercept the transfers between two parties. The attacker can then monitor activity and communication that occurs over the connection and potentially obtain files or information shared between the two parties.
To mitigate man in the middle attacks contractors can:
1. Avoid unsecure Wi-Fi connections, which are the main tactic used to carry out MITM attacks. Public Wi-Fi connections such as a coffee shop or fast food hotspots where contractors often take breaks can be spoofed to fool the user into connecting to it. The best way to avoid unsecured connections is to use a cellular or private hotspot.
2. Transfer sensitive files via portals to eliminate access to email communications and attachments. Best practice would be to use a portal or file sharing site to upload and download information.
3. Use of a VPN and encrypted email to create a private network over a public network will increase security for the communications shared over that network. Contractors should consider using encryption technology for any email communication.
In today’s world, contractors face very real security threats. These risks cannot be ignored or left to unqualified IT administrators. While cyber attacks will never be completely unavoidable, a well-prepared contractor will be positioned to minimize the potential damage and destruction of these attacks.