You start your day checking for emails and you spot a client email with “PROPOSAL” as the subject line. You try opening the attachment but nothing happens. You ask the sender to resend the mail, but you never get a reply. You continue your day as usual.
The next day, your company announces that a data breach occurred with 130 million customer data compromised. You receive an email from the IT department asking for any unusual stuff that happened the previous day and you remember the weird “PROPOSAL” email with an attachment that never opened. You were a victim of phishing.
Here’s how phishing.org defines it:
Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, and credit card details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.
Phishing is among many other cyberattack methods that are being used by cybercriminals to acquire sensitive information for personal gains. Some of the most common attacks are:
- Denial of Service (DoS)
- Password attack
- SQL injection
- Cross-site scripting (XSS)
- Man in the middle attack
Defending yourself and your organization from cyberattacks
Your IT Department conducts an information campaign on how to spot phishing emails and how to deal with them. All the employees are also required to join a Cyber Security Seminar so you are more equip to deal with other forms of attacks that may target you and your organization in the future. In the seminar, you learn that cybersecurity is the collection of methods, technologies, and processes aimed to maintain the confidentiality, integrity, and availability of computer systems, networks, and data against cyber-attacks or unauthorized access, and even natural disasters.
Defending yourself and your organization from cyberattacks is very much like defending a building from criminals. There are monitoring tools that record the activities happening in the system, much like what CCTV does in a building. There are also cybersecurity professionals that ensure the security of computer systems just like what security personnel does in a building. Cybersecurity should be implemented 24/7 as done in building security.
Why do you need to improve the security of a system?
After the phishing incident, the IT team has been pushing security updates to everyone’s computer regularly. Some employees are annoyed because they are forced to restart their computers while they are working on something. They even question why one security update is not enough to protect the systems from cyberattacks.
To answer that question, I’m going back to my analogy between cybersecurity and building security, I will also throw in a reference that I have researched because I feel like those imaginary employees are hard to convince.
Taken from an academic paper that reviewed seven studies about the effectiveness of surveillance cameras in reducing crime;
Changes in total crime found crime reductions ranging from 24 to 28% in public streets and urban subway stations, but no desirable effects in parking facilities or suburban subway stations.
This implies that although crimes are reduced when surveillance cameras/CCTVs are installed, crimes still happen even when CCTVs are in use. The same thing is true for computer systems, a single security update will not eradicate the threat of cyberattacks. Cybercriminals/hackers will not be stopped by a security update, they will just look for other ways to break into your systems.
Cybersecurity is the process of defending computer systems from cyberattacks. There are many forms of cyberattacks, one of which is phishing. Phishing is a technique used to obtain sensitive data where targets are contacted via email by cybercriminals posing as legitimate institutions. Cybercriminals/hackers cannot be stopped by just a single security update and as hackers continuously improve their techniques, your system’s security should improve as well.
Alain Dimabuyo, Front-end Developer
Christopher Clint, Backend Developer
Roger Madjos, Software Engineer