Author: Morey Haber, CTO and CISO at BeyondTrust
Everyone makes mistakes. Whether we admit them or not is shrouded in honesty, ego, and ethics, but yet we all make them. Some of these mistakes are life threating and catastrophic like driving under the influence. Others are simple like clicking on a link in a well-crafted phishing email. As crazy as it sounds, that one simple mistake of clicking on a malicious link can actually be ruinous for your identity and take weeks, months, or even years to recover.
And, if you make the mistake of clicking on a bad link in an email or on a website within your business, the ramifications can be business ending, cost tens of thousands of dollars to mitigate, or make the headlines of yet another security breach. One click can actually destroy you and potentially your business. If you are not sure how this can happen or believe it to be true, definitely read on.
Whatever you want to call a cybercriminal, a hacker, attacker, or threat actor, the goal of sending you a malicious email or posting bad links on a website is to entice an unsuspecting victim (you) to click on a link (URL hyperlink) or open a file. The hideous craft of performing this action is called social engineering. It is the belief that the email or website is real and the message contained within it creates an urgency or false sense of trust requesting you to take an action. For the end-user, determining that the email is malicious can be tricky. Typically, misspellings, poor grammar, and even determining the “from” email addresses is not correct can help the end-user determine it is a fake. However, once in a while, we make a mistake and the email or website looks real or does not trigger our “fight or flight” response and we click on the link. Now, depending on your cybersecurity hygiene, the link may do nothing or may begin a devasting promise to compromise you and your computer. The risk is real and everything from stealing your passwords to encrypting all of your files (in the form of ransomware) are potential outcomes if you have poor cybersecurity hygiene.
What is cybersecurity hygiene?
Just like changing the oil in your car or showering once a day, good cybersecurity is a balance of routine procedures to ensure your computer is operating correctly and that you (as a user) are operating it safely. The basics are simple:
Allow the operating system and applications to apply recommended security updates
Ensure that your anti-virus solution is licensed, receiving updates, and periodically scanning your system
Operating your computer as a standard user and not an administrator for daily activities
If your operating system is end of life, like Windows 7 or older like Windows XP, consider updating or replacing your system
Why does cybersecurity hygiene matter if I click on a link?
The vast majority of malware that can infect your computer if you click on a link is based on vulnerabilities and exploits in your operating system, browser, or associated third-party application. If they are fully patched, then the potential virus deposited on your computer cannot infect your system. And, if your anti-virus is up-to-date, odds are it will detect the virus an eradicate it even before it can execute. While this is not always true 100% of the time, the vast majority will be detected and blocked by leading vendors, including Windows Defender, built directly into the Windows operating system supplied by Microsoft. In addition, almost all vulnerabilities and exploits require administrative rights in order to “hook in” or become persistent on your computer. In fact, 88% of vulnerabilities published by Microsoft can be mitigated just by removing administrative rights from your daily usage. It is therefore recommended that end-users take the extra step of creating a new account on their computers with just “standard user” rights for daily activity and safeguard the account with administrative privileges they used to setup the computer, even if it is linked to their Microsoft Online profile. Using the administrator account should only be used for changes and not surfing the web or checking email. This alone will help block many attacks associated with malicious links. Finally, and bluntly, ditch your old computer. It is end-of-life, not receiving security patches any longer, and odds are that the antivirus vendor is no longer providing updates since it has been depreciated. It is just not a safe device to be on the Internet and hackers know this. Vulnerabilities and exploits are easy targets since end-users have no way of mitigating the risks.
One click can destroy your identity. A cybercriminal can trick you into believing their lies, malicious message, and you may make the mistake of clicking on a bad link. The results can be devasting. However, by following basic cybersecurity hygiene, you can mitigate some of this risk and thwart the most common attacks at home or in your business. While these recommendations are not a 100% solution, and we all make mistakes, these are the best things we can do in case we make a mistake and prevent the results from being devasting. The only other thing we can do is education and training to identify these fraudulent links, emails, and websites in the first place so we do not – click once.