Last week, all users of Apple mobile devices, iPhones, iPods, and iPads, were strongly encouraged to update to the newest operating system. Initially some users responded with a shrug – another malware attack, another software update, been there, done that. But very quickly it became clear that this was no routine alert.
In a typical hack, a user needs to engage with malware – the most common way is by clicking a malicious link or opening an attachment. But this was no routine attack – there was no link to click, no fraudulent email to avoid. For the first time, hackers found a way to gain access to a device with no interaction by the end-user at all. A device can be targeted and infiltrated by simply receiving a text message or a phone call, and once installed, data and applications, like the camera or microphone, are at risk. These new attacks are “zero-click exploits” and the chance of identifying one is nearly impossible.
Fortunately for Apple and it’s customers, this recent zero-click exploit, brought on by Pegasus spyware, was identified and last week’s security update provided a much needed fix. It is important to understand that Pegasus spyware was developed by Israel-based NSO Group and was intended for legitimate law enforcement purposes by democratic governments. But when it is in the wrong hands, it is a different story.
Scary, right? But if there is any good news here, it is that you are unlikely to be the target of this type of attack. Thus far, Pegasus has been used to target specific, high profile individuals, which means there is not an immediate threat to the public at large. That said, tomorrow is a new day, and every unpatched device is vulnerable, so it is critical to be aware of this risk, and responsive to the guidance and support that Apple can provide in these situations.
While the risk of a zero-click exploit is dominating the news cycle today, it is important to remember that malware attacks come in many forms, and via many channels. Apple is certainly not alone, as many businesses large and small are targeted by cybersecurity threats. Just this past June, LinkedIn experienced a data breach that put 700 million of their users at risk. An incredible 90% of LinkedIn users had their information posted on a dark web forum. And just one month ago, T-Mobile was the target of an attack, which put the personal data of more than 50 million customers at risk. These high-profile breaches are shocking, but they are far from unique. An incredible 47% of US companies have experienced a data breach within the last year.
It is easy to feel like a sitting duck in the face of so many breaches, from seemingly all directions, but there are steps that you can take to protect yourself. First of all, practice good cyber-hygiene! Be sure to update the operating systems on your mobile and desktop devices and be cautious and careful when receiving unsolicited calls and texts. This will lower your risk of falling victim to a cyber-attack.
And if you want to learn more, you’re in the right place! October is Cybersecurity-awareness month and in the coming weeks we will be sharing more information and insights on the emerging, and constantly evolving, risks for individuals and businesses. Plus we have a few ideas about mitigation and management through insurance – stay tuned!