Skip to main content
It should come as no surprise that the number of people using the internet is steadily growing. And as we all know, you can do practically anything online these days. You can buy a car, do your banking, get a degree, make a doctors appointment, and even find love. The growing number of users and the ever-growing use-cases of the internet has allowed marketers and businesses to achieve a number of things - they can reach new audiences, diversify revenue streams, introduce new products and much, much more. But as more people enter this digital marketplace, and more sensitive data is stored, shared and accessed -  the techniques and sophistication of cyber-attacks have also grown.  According to Gemalto, in the first half of 2018 alone, 3.35 Billion records were stolen. By 2021, cybercrime damages are estimated to hit $6 trillion annually, and the damage to a company’s reputation after a cyber attack can be significant. Furthermore, according to a Deloitte study, about one-third of consumers said they would stop dealing with a company that fell victim to a cyber-security breach. With these not-so-fun-facts in mind, organizations need to pay mind on how they can protect their organizations from cyber-attacks. But considering the scale and sophistication of cyber threats, many digital marketers don’t know where to start. This article will explain the four primary methods of cyber attack, and seven steps companies can take to protect themselves against these most common crimes. The four primary methods of cyber attack: Social Engineering: Almost every cyber attack begins with social engineering. Social engineering is defined as a set of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware, or opening links to infected sites. Social engineering focuses on human interaction and context creation to persuade users to take actions that are not in their best interests. The most common form of social engineering attack is a phishing attack. Phishing can be defined as a cybercrime in which a target or targets are contacted through an electronic means, like email, by an attacker posing as a legitimate person or business for the purpose of fraudulently acquiring sensitive data to be used for a later attack or to convince the target to install malware on their system. Malware:Malware, short for malicious software, is defined as any program or file that is harmful to a computer or computer user. Malware includes computer viruses, worms, Trojan horses, spyware and ransomware. Malware is utilized by an attacker to accomplish a myriad of functions, including stealing, encrypting or removing sensitive data, altering or hijacking computer systems, or monitoring user activity without their permission. Each of the different types of malware has unique identifying characteristics. A virus, for example, is a malicious piece of software that once executed spreads by infecting programs or files. A worm, on the other hand, spreads copies of itself from computer to computer without depending on other computer files or programs. Typically worms leverage software vulnerabilities to spread and they are leveraged to deliver additional malware, steal data, or allow a hacker to take control over a computer. A Trojan horse is malware that is disguised as a legitimate software program that once run activates its malicious payload. Spyware is malware that is utilized to monitor a user’s behavior, keystrokes, or screen without their knowledge. Lastly, ransomware is malware that encrypts files on a user’s system and holds the files hostage unless money is paid to decrypt the files.Unpatched Vulnerabilities:A recent study disclosed that almost 60% of organizations that had a data breach in the past two years can trace the culprit to a known technological vulnerability that was not patched. The Equifax breach, which exposed personal data for 146.6 million US Consumers, was traced to a missing patch on a single server. The patching issue expands to content management systems as well. WordPress is the most popular content management system used today, accounting for 26% for all websites in the world and they also own almost 60% of the CMS market share. The prevalence of the WordPress CMS has made it a favorite target for hackers. Alarmingly, about 70% of WordPress sites are not optimized for security. This lack of security optimization has resulted in the hijacking of websites for malicious purposes, defacement of websites, and theft or damage to sensitive data. Non-human Traffic: More than half of all traffic on the internet is non-human traffic. This includes bots (computers taken over by malicious software) committing click fraud, scrapers that gather and record every link and other information from every page on a website, spambots and other malicious activities.These bots can also be utilized to initiate Distributed Denial of Service (DDOS) attacks. These attacks overwhelm a web site or server’s ability to handle the volume of traffic and thus denies legitimate traffic from being able to connect to the website.Seven Ways to Protect Your Website from Cyber Crime  As mentioned earlier, cybercriminals are becoming increasingly sophisticated, and every business will have vulnerabilities unique to their tech stack, workflows, and resources. However; there are seven steps a business can take to start defending themselves against these most common cyber attacks:1. Know when and how you are collecting sensitive data, and protect it.
  • Ensure that any sensitive information or data that is being collected from your customers and potential customers is being encrypted at rest (i.e. when saved to disk) and in transit.
  • Ensure that any change to your data architecture is analyzed to account for new data flows that may require additional protection.
2. Implement a strong cybersecurity training program
  • According to SANS Institute, 95% of all attacks on enterprise networks are the results of successful spear phishing.
  • Ensure that your employees and teams learn how to identify and defeat phishing attacks.
3. Implement strong password requirements and Multi-Factor Authentication (MFA)
  • Adding an MFA solution increases the difficulty to defeat authentication controls.
  • 551 million passwords have been cracked, and utilizing any of these passwords on multiple devices or access points makes gaining access to sensitive data significantly easier.
4. Ensure you have an effective patch management practice. Your patch management practice needs to include the following:
  • Servers
  • CMS platforms
  • Components (Open Source and Closed Source / Commercial Products)
    • PHP
    • Java
    • IIS
    • Apache
    • Adobe etc.
5. Implement Next Generation Firewall Technology
  • NextGen Firewalls with deep packet inspection provide additional layers of protection against web vulnerabilities.
  • Web Application Firewalls can assist with the mitigation of DDOS attacks and improve the availability of web properties in addition to providing an additional layer of protection against web vulnerabilities.
6. Implement Bot/Botnet Detection and Protection Tools
  • For all areas of your site where users input data, ensure you have a bot protection technology like CAPTA in place. This will protect your website against password brute force attacks as well as DDOS attacks.
7. Run Penetration Tests on a Regular Basis
  • Penetration tests are the best way to ensure that your security controls work against actual cyber attacks. These simulated cyber attacks will help you identify vulnerabilities before a real cyber attack can take place.
Today’s world is filled with new and constantly-evolving cyber threats. Which means some of the biggest dangers are the ones we haven’t even heard of yet. It stands to reason then, that no security solution is impervious to attack. However, bringing the conversation around cybersecurity to the forefront, training your organization to be vigilant about security and implementing the above seven steps can drastically reduce cybersecurity threats to your business.For more information about cybersecurity best practices, and Primacy’s security and risk compliance consulting, contact us here.