16 Digital Hazards Could Threaten Your Business & Personal Life

(SALEM, Ore.) - A Microsoft database containing information about 250 million individuals was left exposed to the web for days earlier this year, according to a report by ZDnet and an official admission by the Seattle-based digital conglomerate.

Microsoft claimed the database didn’t contain any information that could personally identify the victims, such as physical addresses, full names, or government-issued identification numbers.

Still, the trove did contain information that could harm the victims were it to fall into the wrong hands: IP addresses, email addresses, and even details about their interactions with Microsoft.

What’s most concerning about this breach isn’t the fact that it happened. It’s the fact that it was just one more digital mishap in a seemingly endless line of them — not the first and certainly not the biggest of 2020, and certain not to be the last.

With such events a depressingly frequent and familiar fact of life in the digital age, businesses and individuals rightly wonder about their own vulnerabilities to cyber security threats.

Increasingly, these would-be victims are taking matters into their own hands, investing in front-end protection like antimalware suites as well as back-end solutions like cloud-to-cloud backup, which limits the fallout from hacks, power interruptions, and even natural disasters.

These protective measures are welcome — and, arguably, no longer optional. But it’s also important for potential victims to educate themselves about the specific nature of the threats they could face in the near future.

After all, the sorts of mega-exposures like the one Microsoft was forced to admit to earlier this year represent a small fraction of the total number of cyber incidents that occur each year.

1. Unprotected Database Exposures

First, let’s tease out the implications of incidents like the Microsoft database exposure of 2020. Such exposures happen all the time, literally multiple times per week.

We just don’t hear about most of them because they’re not big enough to make national news, not serious enough to warrant concern (or so we’re made to believe), or they primarily or entirely involve people outside the United States.

Even that middle category — exposures “not serious enough to warrant concern” — should give us pause. In the wrong hands, even seemingly innocuous information like one’s email address or full name opens the door to further malfeasance, some of which we describe in more detail here: phishing and spearphishing attacks, identity theft, even harassment or extortion.

For your sake, your family’s, and your business’s (if you run one), you don’t want that information in the wrong hands.

2. Insider Theft of Customer Information

This is a threat both to the businesses it affects directly and the customers who could be harmed should the stolen information fall into the wrong hands. It’s also, unfortunately, one of the most difficult cyber security threats to protect against because it turns on the most unpredictable of actors: human beings.

Businesses collectively invest billions in predictive intelligence to suss out potential traitors in their midst and limit the damage they cause, but they can only do so much. Insiders remain a persistent threat and will for the foreseeable future.

3. Ransomware Attacks

Ransomware is a type of malware that essentially holds infected systems for ransom by encrypting the data on those systems and demanding payment (usually in untraceable cryptocurrency) on pain of permanent data loss.

Even when victims pony up, there’s no guarantee the data won’t be gone for good or corrupted beyond repair, which is why it’s so important to invest in cloud-based backup solutions that can limit (or entirely eliminate) data loss.

4. Email Phishing Attacks

Phishing attacks are often low-quality, “spray and pray”-type schemes that snag very few of their intended victims. But this “numbers game” works just fine for attackers with the resources to email thousands and thousands of recipients every day using automated programs and, often, hacked email accounts.

Their endgame is simple: gaining access to victims’ account credentials, personal information, financial information, or all three.

5. Email Spearphishing Attacks

Spearphishing is a more sophisticated variant of phishing. As the name implies, spearphishing tends to be more targeted and accurate, with a higher rate of success to boot.

Spearphishing emails are often really difficult to distinguish from authentic messages, even for people who think they know how to spot a phony. This is why it’s so important to educate yourself (and your team, if you run a business) about proper email hygiene and best practices for sharing information by email.

6. Spoofing Schemes

If you own a cell phone, you’ve experienced spoofing, whether you realize it or not. The FCC’s guide to caller ID spoofing describes this increasingly common practice used by spam callers, if you’re interested. The practice has real consequences, though fortunately most potential victims are alert enough to parry it.

Other types of spoofing can have more serious consequences, particularly when they successfully convince us that we’re speaking with trusted partners in confidence.

Email spoofing, like spearphishing, is a common means of extracting sensitive personal and business information from those with access to it. In the worst incidents, spoofing attacks successfully extract the so-called “keys to the kingdom” — top-level account permissions — from high-ranking executives, with incalculably damaging results.

7. Man-in-the-Middle (MitM) Attacks

This “silent but deadly” type of attack siphons digitally transmitted information via a well-placed intermediary, often without the victim’s knowledge.

It’s particularly common in environments where traffic flows over unsecured networks, which is why you should follow cyber security experts’ repeated pleas not to connect to networks you don’t trust (or, when you do, to use a virtual private network or other secure proxy).

8. Deliberate Denial of Service (DDoS) Attacks

This type of attack is definitely not “silent but deadly.” It’s better described as “brute force.” The goal is often mere havoc, as successful DDoS attacks can knock victims offline for hours (or until the attack stops) and the ability to conduct them is very often used as a display of one’s capacity to muster the raw power of the Internet to one’s ends.

Sometimes, however, DDoS attacks have more sophisticated, sinister motivations, such as creating a diversion that draws victims’ defenses away from another vulnerability and allows attackers to steal sensitive information.

9. Malicious Links

Malicious links come in many different forms and get delivered via many different media, but the end result is often the same: infecting the victim’s device or network with malware that disrupts their activities, reads their data, or both.

Watch out not just for spammy emails with questionable links or images (one reason you should never open an email you don’t trust) but for text messages and social media pings — avenues not normally associated with malicious activity.

10. Social Media Phishing and Spearphishing Attacks

On the subject of nefarious social media activities, two related types of social attack deserve scrutiny here: social media phishing and spearphishing.

Like their email-based equivalents, social media phishing and spearphishing aim to pry credentials or other sensitive information from unsuspecting victims. The familiar, collegial nature of some social media platforms aids in this effort, which makes it especially important to be on your guard.

Look out, in particular, for friend and connection requests that seem to appear out of the blue or appear too good to be true; sadly, many social media accounts aren’t genuine.

11. Physical Device Theft

This is the proverbial laptop-left-in-the-airport scenario. While device security has certainly improved in the years since such situations could spell doom for corporate victims, determined attackers can still crack business-grade security with ease.

This is why physical device security is so important — along with “minimum necessary permissions” protections that ensure most employees and contractors don’t have reason to walk around with devices teeming with super-sensitive information.

12. Third-Party Vendor Attacks

Some of the highest-profile hacks in recent memory used poorly secured third-party software or hardware to breach their intended victims’ defenses.

The massive Target hack that devastated the mega-retailer’s reputation in the mid-2010s famously used an HVAC vendor’s less-than-secure portal to get inside. Other attacks have used even more exotic vectors, including WiFi-connected fish tanks.

Let this be a lesson to hold your vendors to the same high security standards as the rest of your organization.

13. Hardware Hacks

Hardware hacks aren’t yet as common as some of the other cyber threats on this list, but they have the potential to be truly devastating to businesses and reputations alike, not least because they’re so difficult to detect and prevent.

Moreover, in a world with tens of billions (and growing) of Internet-connected devices — refrigerators, cars, critical infrastructure — the sheer level of potential risk is only set to grow.

14. Zero-Day Exploits

A zero-day exploit is a latent vulnerability baked into hardware or digital infrastructure (for example, operating systems). Once discovered, it can be used as an entry point for hackers to steal information, disrupt activities, or corrupt data and systems.

Like hardware hacks, zero-day exploits are extremely difficult to detect. In fact, they’re by definition impossible to detect until they’ve been exploited, either by (hopefully) “white-hat” hackers paid to test system vulnerabilities or (hopefully not) by “black-hat” hackers — the bad guys.

15. Infrastructure-Related Incidents and Natural Disasters

If you read or watch the news regularly, you’re aware that America’s infrastructure is creaking under the weight of age, climate change, and human-caused threats.

Unfortunately, this leaves the people and businesses that rely on it vulnerable to hazards for which they bear no direct responsibility.

Whether that’s a long-duration power outage caused by a fire or earthquake or an intentional attack on a server farm, it’s a problem for businesses that rely on the expectation of 100% uptime.

16. On-Site Data Theft and Disruption

This might sound like the stuff of action movies like The Bourne Identity, but it’s more common than you’d think.

And more devastating. Determined attackers who breach server farms’ defenses or monkey with colocation hubs can interrupt or divert entire streams of data, compromising the organizations and individuals that rely on that data for long periods of time (perhaps permanently).

This is why you’ll see Internet infrastructure providers talk so much about physical security. It’s a real, pressing worry that keeps cyber security experts up at night. If you value the physical sanctity of the equipment and systems that handle your data, be sure to work with providers that value it too.

Are You Ready for What’s Coming?

We’ve covered quite a bit of ground here. Maybe more than you were hoping to learn about the myriad digital threats that could compromise your business or personal life (or both) in the months ahead.

Sad to say, we’ve only just begun to scratch the surface. The dirty little not-so-secret about cyber security is that basically no one on either side of the black-versus-white-hat divide has perfect visibility into the actual state of play.

The space is simply too vast, with too many moving parts and interlocking factors and domains of expertise, for any single individual (or artificial intelligence, yet) to understand exactly what’s going on.

That, of course, is a scary thought. That even the best and brightest cyber security professionals, the people we hope and expect will be there to protect us, don’t know everything about the threats we face — well, that’s just not very comforting.

To make matters worse, the cyber security reality is always shifting under our feet. What’s true today might not be true tomorrow, let alone next year, and very often we’re left to make educated guesses about the most serious threats we face.

Does that mean we should give up? Throw up our hands and say, “You know what, there’s no way we can stay safe — why bother?”

Of course not. Just as being a good real-world citizen means abiding by rules meant to keep our friends and neighbors safe, being a good digital citizen means following the best practices and recommendations of people who know more about cyber security than us. These rules of the digital road might not be foolproof, but they’re the best we’ve got.

As we look forward to another uncertain year, let’s all resolve to do our best to take ownership of what we can control, starting with our digital vulnerabilities. It’s a scary world out there, after all, online and off.