Ho says, the cybersecurity community generally believes that many of the security breaches in recent history were avoidable. — Reuters photo
Ho Siew Kei
KUCHING: Reports show that most cyber attacks begin with a phishing email to an unsuspecting victim.
In an opinion statement, Deloitte Malaysia Cyber Risk, Risk Advisory executive director Ho Siew Kei noted that cybersecurity practitioners have, for many years, been promoting the adage ‘it’s not if, but when’ organisations will be impacted by a cyber attack.
“With attackers adopting and deploying increasingly advanced and sophisticated tools, and organisations struggling to address cybersecurity challenges — not least talent and skill shortages — ‘if, not when’ is probably true for most organisations today.
“The cybersecurity community generally believes that many of the security breaches in recent history were avoidable.
“For instance, research suggests that 95 per cent of security breaches in 2018 could have been prevented, and that many of the techniques attackers used to successfully breach systems in 2018 remain the same as those used historically.
“In a more specific example, investigative reports describe the 2017 data breach suffered by the US credit bureau Equifax, which disclosed personal detail of more than 140 consumers, as ‘entirely preventable’.
“While it is impossible to conclude definitively that the relevant security breaches would not have occurred even if stronger security controls were in place – after all, it is difficult to stop the most advanced and determined attackers – these reports suggest that it is far too easy for attackers to achieve their objectives,” he said.
Failure to adhere to basic cybersecurity principles, a concept which is becoming increasingly known as ‘cyber hygiene’, leaves organisations vulnerable to security breaches, he warned.
“Recent research reveals that over 80 per cent of breaches involved the use of weak or stolen passwords; as access to corporate networks and applications are increasingly through corporate mobile devices or employee personal devices under BYOD schemes, poor cyber hygiene at an individual level does have a direct impact on enterprise security – and attackers are certainly leveraging on individuals as the entry point to corporate systems and data,” he added.
There are several ways the average person can protect themselves from cyber attacks.
Ho suggested that users should install security software on mobile devices as there has been an increase in sensitive data held on mobile devices and trends in the use of mobile devices to conduct sensitive activities such as online banking
New variants of mobile malware increased by 54 per cent in 2018 , yet mobile users still do not adequately protect their mobile devices from malware.
Aside from that, he urged users to avoid browsing questionable websites as compromised or known-malicious websites is one of the main avenues for propagating malware infections on mobile devices or computers.
He also advised to only download reputable mobile applications from legitimate sources and exercise caution on social media.
“Fraud, identity theft, and scams are a big motivator for attackers to connect with individuals – for example, harvesting information based on an individual’s social media presence may allow attackers to impersonate the individual for identity theft, or as a platform to launch social engineering attacks on an individual’s contacts and friends.
“Be careful of whom you accept as friends and be careful of revealing excessive private information through social media or job posts,” Ho added.
Aside from that, he advised users to constantly use different passwords for multiple accounts and beware of phishing emails while consciously keep up with current security trends and threats.
“Aside from ‘if, not when’, another popular adage within the cybersecurity community is that humans ‘are the weakest link’ in security.
“The recommendations above, while not new, are unfortunately rarely practiced by the common user. In order to stay safe online, both in our private and professional lives, and concurrently reduce risk to our organisations, maintaining good cyber hygiene has become pivotal and an essential first step in combating cyber threats,” Ho concluded.