Hackers target less secure personal accounts to cross over to your business networks.
By Anisa Williams, BSS Staff
91%. That is a large (and unfortunately accurate) number that represents total number of cyberattacks, initiated by an innocent person who clicked a link or shared sensitive information from a phishing email, according to KnowBe4.
Wayward protection for personal devices
We have these amazing, powerful computers in our pockets (literally) and can work anywhere from our business computers. It’s common practice to do personal tasks on our work computers as it’s relatively safe – IT has your back, right? But it’s also common practice to conduct business on our personal computers or phones, even though (admit it!) you may not recall the last time you changed your email password, or aren’t sure if you have anti-virus software on your phone.
One click to cyber crime
Many high-profile breaches, the kind that expose millions or billions of user accounts to criminals, start with a phishing email to their target’s personal accounts. Yahoo, Target, and Facebook, and Google have all experienced massive data breaches due to a single compromised account from a phishing email.
Sony’s very visible data leak of over 100 Terabytes of confidential company information at a cost of $100 million was because phishers pretended to be colleagues of top-level employees. Specifically, they used a fake Apple ID verification email, combined with posted LinkedIn data, to find matching passwords from personal accounts on the Sony network.
LastPass, a popular password manager, experienced not one but two breaches that started by a click. The hackers targeted a DevOps Engineer who had access to the entire LastPass infrastructure. The Engineer logged into a false movie streaming website – a personal account - on his corporate computer and essentially gave hackers full access. The hackers impersonated the Engineer and caused havoc over six months: they copied source code, backups of customer databases, and encryption keys. Hackers also overwrote logs, performed anti-forensic activities to cover their tracks, and installed keyloggers on computers. All in all, the LastPass breaches cost millions for them and their customers millions if not billions of stolen crypto wallets and access to banking and credit cards.
Protect your personal accounts
The majority of accounts are compromised because of reused or too-simple passwords. Experts recommend:
- Don’t mix personal and business accounts on the same device.
- Update your personal accounts with unique passwords or passkeys.
- Add Multi-Factor Authentication (MFA) to all personal accounts.
- Use a different password manager than your work.
- Use extreme caution when sharing your personal information – especially passwords - online or by phone.
- Keep your personal devices up to date with security patches and antivirus antimalware.
Protecting your personal accounts and devices can protect your business from threats. Phishing and targeted phishing attacks can destroy a company financially and reputationally. If something seems suspicious when you are trying to login to a personal account, don’t put in your credentials. □
Sources:
https://www.yeoandyeo.com/resource/91-of-cyberattacks-begin-with-a-phishing-email
https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History
https://www.cybersecuritydive.com/news/lastpass-cyberattack-timeline/643958/
https://www.aba.com/advocacy/community-programs/consumer-resources/protect-your-money/phishing
