Let's face it, cybersecurity has never been the sexiest topic. To a lot of people, it might not even be a term they're familiar with. So let's start off by defining it.
Cybersecurity is the practice of protecting systems, networks and programs from digital attacks. Digital attacks can range from attempts to steal personal information to destroying sensitive information or even holding it ransom until a fee has been paid.
Anyone who has been the victim of a cyber attack will know it's a highly unsettling process to go through. In fact, the very reason I'm writing this blog is because I was recently the victim of a sophisticated cyber attack myself. Week before last I received an email from a client with whom I'd been chatting recently about a possible project Easthouse could support with. The email had the subject line "Proposal for Easthouse" and enclosed in the email from his email address (complete with signature and all) was a well written email and a link to a One Drive folder in which the "Proposal details" could be found. The message was in fact a phishing email and I had taken the bait 🎣
The timing of the email was perfect. Just a few weeks before I had spoken to the client about possible projects and in-came an email with a link to a project. A phishing email is a scam message designed to trick a recipient into doing something that the attacker needs in order for them to gain access to something personal. In this case, the attacker was able to access my mailbox and send out the same email, this time from my email address, to a host of email addresses in my address book.
I only realised all of this when I started receiving calls and messages from people I'd been speaking to recently (a lot of them clients) about the email. I was so embarrassed. But I knew the only way forward was to take ownership of the situation to ensure that those people who had been targeted, wouldn't be adversely affected any further. I emailed and called everyone I had spoken to recently, I put out a LinkedIn message with a warning and I immediately changed my email password and reinstated 2FA with Authy (something I should have had instated a long time ago - I blame this on juggling too many things at once).
So what advice do I have from my experience in terms of prevention and mitigation?
Prevention tactic - Use 2FA authentication for everything. It's so important, do it. I was kicking myself for not having it instated on my work email account as it most definitely would have prohibited last weeks events. Authy is great if you're looking for an authentication app (not all apps integrate with it though) but even SMS verification is better than nothing.
Prevention tactic - Regularly change your password and use a password manager to make this easier. Let's be honest, so boring but so important. Using a password manager makes is so much easier, I use Dropbox Passwords and it's so easy to update the password it stores every-time I change my passwords.
Prevention tactic - Keep your software up to date. If you use Chrome, regularly update it. If you're a Microsoft user, I know their updates seem endless but they're so important. Trust me, restarting your computer every now and then is much easier (and less embarrassing) than having to tell all your clients to ignore your emails with malicious content.
Mitigation tactic - If all of the above fail you and the worst does happen, all I can say is own it. It happens to everyone and others will be sympathetic. Just be open, instruct people on what you know so they don't fall into the same trap and then make sure you kick yourself enough to do steps 1,2 and 3.
I am fully aware this won't be one of the most thrilling blogs I have written, however, I am also conscious that awareness is one of the most important things for cybersecurity. If a quick glance at this blog means that someone will spot a phishing email more easily, it is goal achieved.
In summary, and in the words of Borris himself, "Stay Alert, Control the Virus, Save your Data".