As if cybersecurity weren't already a red-letter issue, the United States and, most likely, its allies--in other words, the global economic community--are in Iran's cyber sites, a major player in cyber warfare and politically divisive disinformation campaigns.
The "slap" as Ayatollah Ali Khamenei described it was a ballistic missile attack on a target that had three hours to get out of harm's way. It doesn't quite meet the standard of extreme revenge that the Supreme Leader has called for, and which has been echoed by several Middle East players in response to the U.S. drone attack that killed Iranian military commander Qassem Suleimani. Despite assurances to the contrary, it's a fair assumption there is more to come, according to national security experts.
Cyberwar could be a life disrupter as well as a business killer. Iran and its allies have a history of launching attacks that are hard to prove but nonetheless concerning. Top among the threats posed by Iran is the possibility of a massive cyber offensive aimed at critical infrastructure like the power grid, financial organizations, hospitals, election systems, businesses of all stripes, and government agencies. While you might imagine such an attack would be readily apparent with widespread blackouts and the like, the start of a cyberwar campaign may be more like the contrail of a firework, a subtle streak of smoke in the sky preceding a very obvious conflagration. It could target your employees, not your company. We're all connected.
So, how do you know if it's happening?
1. More Disinformation
While news of missile strikes is clear (the fake news a couple of years ago that Hawaii was under a nuclear attack notwithstanding), the details around such reports are not always accurate.
Immediately following Iran's counterstrike against American military posts in Iraq, a tweet circulated claiming that more than 20 American soldiers had been killed. This immediately caused a mini panic. Memes spread about World War III and the reinstatement of the draft. (There were no American casualties.)
Theoretically, fake news doesn't affect decision making in Washington, because facts are facts (unless they are alternative facts) and one would hope cooler heads might prevail when the worst-case scenario is World War III. That said, we are living in a world where Twitter has become a go-to news source for the United States secretary of state to find he's been fired and Instagram is the source used by the Queen of England to find out a senior royal--her grandson--has essentially quit his job as Duke of Sussex.
We used to call this psy-ops. Tokyo Rose targeted troops in the Pacific theater, making them miserable during WWII. The medium has changed but the mission hasn't.Tip: As annoying as it may seem, you have to vet your news these days. Take a moment and do a quick search of stories on whatever topic is at hand. Make sure you see the same reporting from more than one reputable source.
2. More Phishing Attacks
Phishing may seem like an ordinary part of online life, but it could also be the initial volley in a major cyberattack. Phishing here is shorthand for the Pantheon of Ishings: generic, spearphishing (personalized), vishing (phone based), and SMishing (text based).
The message could appear be from a government agency, your bank, your place of worship, your gym, a colleague at work. It may look just like the real thing. The only difference may be that it comes at the wrong time of the month, or you're pretty sure the stated problem is inaccurate.
The reason phishing is an issue here is that it could be a way to propagate crippling malware throughout a population.
Tip: Pause before you click on a link in an email or open an attachment. Ask yourself these questions: Am I expecting to hear from this person or organization? Is it possible this is fake? If you have doubts, check it out--go directly to your account or to the source, which you should always independently verify, if the communication refers to anything service or finance related. The best way to avoid getting got is to self-navigate online, avoiding links sent via any media.
3. Missing Data
You go online and you can't access your cloud account, or you can't find data stored on a device or in a specific service. You may have made a mistake. You might need to reboot your device. But, then again, you may have been hacked--"wiped" being the current term of art and something Iran has earned a reputation for. Most likely you didn't pause before you clicked, and got phished or compromised in some other way--possibly by an internet of things device connected to your home network.
Tip: Back up everything (for more, see below).
4. Your Finances Glitch
While not unheard of, it's exceedingly rare for financial institutions to get things wrong. When they do, your first thought should be that there's been some kind of compromise. One model of cyberattack includes sowing confusion in financial markets. While all finance-related industries build in complex data redundancies to protect against this kind of attack, you should still check your accounts daily as part of a personal cyber hygiene routine. You can also enroll in free transaction monitoring programs offered by banks, credit unions, and credit card companies that notify you of all activity in your accounts.
5. Things Stop Working
When I say "things," we're not just talking about the traffic lights. It could be your car, depending on how connected it is. It could be Amazon, The New York Times, Facebook, Instagram, Reddit, or Twitter. Distributed denial of service attacks (DDoS) are a very likely mode of attack.
There is little you can do in the event we experience widespread DDoS attacks, but one tip is to buy a good book series or a few board games since it might take a while to get the internet working again.
Here are five things you should do today to decrease the risk of a cyberattack affecting your life or your company directly.
1. Reduce Your Attackable Surface
Because the vectors of attack are innumerable, including many everyday items as well online destinations and tasks, it's crucial to reduce your attackable surface. At work, enforce strict cyber hygiene policies, especially for devices that connect to, or travel outside of, the office. Always create a layer of protection between your most sensitive information and accounts and devices that only need to be connected to the internet for convenience's sake. If you use IoT devices, create a separate network on your router for them since they aren't always the most secure connections to the outside world. Never buy a device that doesn't allow you to set a long and strong password. And be judicious about any app you might download to your mobile device.
Always consider if the convenience afforded by an insecure practice, device, or service is worth the risk and err on the side of security.
2. Update Everything
When your phone or computer alerts you to an available software or firmware update, pay attention and do what you're asked to do immediately (as opposed to clicking "Remind me later") because many of these patches are security-related. Remember, IoT devices also require updating to be as secure as possible, so check to see if all your tech (including that smart doorbell) is up to date.
3. Passwords
Passwords are easy to guess, especially when they are any of the worst that continue to be the favored security solution for a majority of users--i.e., password, 123456, qwerty, etc. Consider using a password manager.
If you want to create your own passwords, go for something completely random, like your grandmother's phone number in a code that uses the second letter of each letter associated with a phone key interface interspersed with the letter of a complex molecule of your choice.(Or use a password manager.)
4. Back Up Your Files
Ransomware is a very likely form of attack, and no amount of ransom will guarantee that you get your data back. Wiping attacks are also possible, where malware simply deletes everything on your hard drive.
Back up all your data all the time. Consider using the 3-2-1 rule: Store anything important on two different online storage protocols (hard drive and cloud, for instance; or two different cloud services) and a third copy encrypted on a password-protected external drive that is not connected.
5. Prepare for a Snowstorm
If there is a successful attack on the power grid or transportation, it could take hours or days (perhaps even longer) for things to return to normal. There will be a run on grocery stores, and they will be closed. While you may have your book series in hand, do you have candles and matches or a lighter or both? Make sure you have a week's worth of food that does not require refrigeration and an adequate supply of water on hand, since there may not be time to fill your bathtub. As with all things apocalyptic, if you have a car, make sure the gas tank is full.
If all this is too much to keep in mind, business owners might want to try the 3M's approach described in my book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves: Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors on the basis of their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they're connecting to the company network remotely. It's often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails.
Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it's important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture in which employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport.
Manage the Damage: When it comes to a compromise of your company's network or databases, honesty is the best policy, even if you've been hacked by a hostile nation-state. Own up to a data breach as quickly as possible (this is required by 52 separate jurisdictions in the U.S. and in particular by both the CCPA and the GDPR), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Cyber fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you and act accordingly.
By Adam Levin