This was originally published by Forbes
By Ken Gude
The recent spate of ransomware attacks, the persistent threat of malware and the high-profile exploitations affecting critical infrastructure have all contributed to an erosion of trust among Americans that their computer networks and mobile devices can be kept secure.
This anxiety, however, is not translating into commensurate action to protect their personal data online. It is essential that those of us in technology leadership positions boost public awareness and help users adopt smart and simple steps they can take to regain control over their online security.
The Current State Of Cybersecurity
Surveys of the public have found increasing fears about cyber threats. For example, my organization, a think tank, recently found that nine in 10 Americans say they have concerns about cyber threats like malware, ransomware, viruses and their financial details being stolen. Yet fewer than half of respondents said they regularly use the basic cybersecurity hygiene best practices that are widely recommended by experts, like adopting strong passwords, using multifactor authentication, only downloading from official app stores and avoiding clicking on untrusted links.
It’s time we close the cybersecurity gap that exists between Americans’ fears and their actions.
The low adoption of basic protections is a cybercriminal’s best friend. Some malicious actors are capable of using sophisticated tools to penetrate networks and devices, but most are not and often don’t have to. An analysis of cyber breaches registered with the U.K.’s Information Commissioner’s Office in 2019 found that 90% of data breaches were caused by some form of user action or error, such as being tricked into providing login credentials or downloading trojan or other malicious apps or software.
Cybersecurity Best Practices
Following basic cybersecurity hygiene best practices can dramatically reduce the risk that a network or device will be compromised. Two, in particular, will protect against a breach resulting from this kind of user action: using multifactor authentication and only downloading applications from official app stores.
Username and password are the near-ubiquitous methods for logging into most systems. But with the proliferation of websites and online activities that require them, most people do not adopt strong passwords. Multifactor authentication helps mitigate the risks of a malicious actor obtaining a user’s login credentials by requiring at least one additional piece of information, commonly a randomized code sent to another account controlled by the same user.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recommends using multifactor authentication, “because even if one authenticator becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space or computer system.” Multifactor authentication may have prevented the Colonial Pipeline ransomware attack last year that disrupted gas supplies in the Middle Atlantic region. Colonial’s CEO told senators the system the cybercriminals accessed “only had single-factor authentication.”
The powerful functionality of mobile devices combined with their portability and ease of use has greatly expanded their capabilities and made them practically essential for modern life. These same characteristics, however, make them key targets for cybercriminals, with the increasing threat of banking trojan apps that can steal login credentials a prime example.
According to Nokia’s 2021 Threat Intelligence Report (download required), virtually all malware on mobile devices gets there through downloads from third-party sources because the “security of official mobile app stores has improved significantly in recent years.” Both CISA and the FTC urge mobile device owners to “[r]educe the risk of downloading potentially harmful apps by limiting your download sources to official app stores.”
Disabling app downloads from third-party sources will protect devices from the FluBot and other malware attacks now spreading across the globe. FluBot is a banking trojan that penetrates devices through SMS messages alerting users to missed package deliveries or security updates. The link in the message actually downloads an app that overlays the screen of banking or other financial apps to steal login credentials. This malware only targets and affects mobile devices that allow apps to be downloaded from third-party sources.
Americans are rightfully concerned about the ever-evolving and increasingly sophisticated cyber threats. But relatively simple steps can help protect us and build trust that our personal data can be kept secure. Using multifactor authentication and only downloading apps from official sources are two critical steps anyone can take to increase the security of their systems and devices. No cyber defense is foolproof, but these steps provide an extra layer of protection, build trust among the public and can help close the cybersecurity gap.