Are You a Hard Target for Cyber Criminals? You Must Be
Cyber criminals hate a hard target. In the language of security, a “hard target” is someone difficult to hack, while a “soft target” is someone who is especially vulnerable.
Put yourself in a criminal’s shoes: Which home would you attempt to rob: the one with the back door open or the one with the spotlights and a burglar alarm? Those home security deterrents may not stop a determined criminal, but they send a clear message: This home takes security seriously, and you put yourself at risk if you try to break in.
Cyber criminals think in the same terms. They look for signs that you take security seriously. Some criminal gangs keep databases of known soft targets; you may know someone who is often hacked. All cyber criminals know what signs to look for to see if you pay attention to cyber security. They also know the difference between real cyber security and half-hearted attempts, just as experienced burglars know how to spot fake cameras and alarms.
It is not expensive or difficult to be a hard target. All you need is a little time and a commitment to consider how you approach online interactions. Here are five things you can do right now that will make you a hard target and convince criminals to look for easier victims.
Update your software.
A recent article in The Wall Street Journal certainly caught the eye of cyber criminals. It discussed users who cling to old operating systems and old software because they like certain features or because they do not want to learn a new interface. Some businesses still rely on old operating systems and outdated devices that power critical business functions because they want to avoid the learning curve with new software or because they find upgrading too expensive.
These users and business owners are the ultimate soft target. Criminals have databases of known exploits in old apps, programs and operating systems. They search online to find outdated software that is still in use, then launch attacks to steal passwords, gain access to networks, install ransomware or hijack customer data. Updates should be automatically applied and must be manually applied when auto-updating is not an option. Business owners should note that failure to update systems will void cyber liability insurance policies and trigger violations of the FTC Safeguards Rule. Publicly traded companies and businesses that serve publicly traded clients could face additional penalties under the SEC Disclosure Rule if hackers attack out-of-date systems and software.
If you absolutely must maintain old software or devices, the only safe way to do so is to keep them fully isolated from the Internet. That means no wired or wireless connections that could allow a hacker to access the device.
Change your passwords.
Password and credential theft occur daily. Most people accept it as a fact of life. What most people do not realize is that criminal gangs keep databases of usernames, passwords and other login credentials. These databases are bought and sold on the Dark Web, tested using a variety of methods, then repackaged into verified lists of working credentials. If you change passwords several times a year, you will be seen as a hard target and criminals may stop selling your personal information. Criminals will note that old passwords do not work, and those who act as information brokers may take note of how frequently you change your credentials.
Do not trust. Verify.
If you have ever taken a self-defense or defensive-driving course, you know that one of the first lessons is to question the way you trust. Most people trust unconditionally. They see a yellow line on the road and assume other drivers will respect it. They receive a text that appears to be from a coworker and they respond.
A hard target is vigilant and skeptical. They question everything and develop the ability to sense unusual situations. Instead of assuming that an email, text or phone call are legitimate, they investigate. These skills, which can be developed through cyber security awareness training, make the hard target nearly invulnerable to business email compromise and pretexting attacks.
Anyone can begin to develop these skills by questioning how easily they trust, and why. Criminals prey on trust to steal credentials and cash and to reroute valuable deliveries. Businesses can develop protocols to limit these attacks, but it ultimately falls on individuals to recognize unusual behavior and have the confidence to investigate it. When in doubt about a text or email request, do not respond to it. Reach out to the source at a known phone number and verify the request.
Use multi-factor authentication.
You should be familiar with two-factor authentication, which sends a code to your phone or a verified email address to allow you to log in to services. You may be less familiar with multi-factor authentication, such as biometric logins on devices or apps that check for the presence of your phone before authorizing a financial transaction.
Whenever, and however, multi-factor authentication is offered, take advantage of it. This makes you a very hard target to hack, and shows criminals that you take cyber security seriously. When criminals discover that you have multi-factor authentication enabled, they may stop attempting to hack your accounts and stop sharing your credentials online.
Report successful hacks and data breaches to law enforcement.
Here are two things you must understand about cyber criminals: They want to avoid exposure and they talk to each other. When criminals successfully claim a ransom from a business, steal data. steal money or gain access to networks and systems, they share that information with other criminals in online forums. You may believe that failing to report a cyber crime keeps the knowledge of that crime between you and the hackers, but it does not. Hackers tell other hackers what they did, who you are and how you failed to alert anyone. That invites more hackers to attack you. To be a hard target, you must communicate as loudly as possible. Tell law enforcement. Tell professional associations. Tell colleagues at other organizations. Tell the press. Share everything you know about how you were hacked and how you responded. Cyber criminals do not want the publicity, and they do not want their methods compromised. In the best-case scenario, law enforcement may make an arrest, thwart a future attack or help you regain lost money. In most cases, you will simply be contributing to a shared knowledge base that makes it harder for criminals to operate.
A Hard Target Still Faces Two Types of Cyber Attacks
Making yourself a hard target will deter cyber criminals and reduce the amount of fraud you encounter. There are two additional categories of cyber attacks that you may face, depending on who you are and what you do.
- Spam attacks. Inexperienced and unskilled criminals still send mass emails claiming that you have inherited millions from a deceased prince, that your package cannot be delivered or that your account has been deactivated. You will also encounter browser takeovers online from time to time. As a hard target, you will know that these are very unsophisticated, broad-based attacks designed to catch the unwary. They are not targeted and they are not personal. If you have developed a healthy level of skepticism, you will find it easy to ignore them.
- Spear phishing and AI-powered attacks. Depending on what you do, where you work or whom you work with, you could be a high-value target for cyber criminals. You likely know if you fall into this category, and you should have received additional cyber security and anti-phishing training. The main question you need to ask is whether you are as vigilant in your personal cyber security as you are on the job, and whether you take steps to help your loved ones maintain good cyber habits. High-value targets are closely watched by cyber criminals, who may use sophisticated methods to attack your personal devices, or people you know, as a means of getting to you.
If you have a few minutes to work toward becoming a hard target, take our free E-Mail Safety Crash Course. Adapted from our comprehensive Cyber, Social, Identity Protection Certification program, this video module offers immediate steps you can take to thwart cyber attacks on any email platform, as well as advice on how to identify suspicious emails.