The Strongroom

The human factor that’s putting your business at risk

30th October 2018

Origin Security

Written by Jason Wild

It’s no secret that when it comes to cybersecurity, your people are your weakest link. The phrase is repeated so often, it risks straying into the territory of cliche. But there’s good reason we bang on about the importance of staff awareness and education. Businesses around the world lost $600 billion to cybercriminals last year, according to a 2018 McAfee report. Of that, approximately 80% - that’s $480 billion - can be chalked up to the exploitation of three very human traits.

Curiosity, credulity and complacency

Depending on which report you read, social engineering attacks are responsible for around 40% of all successful cyber attacks. Of those, 90% use phishing, an old but continually evolving form of attack that exploits the first of our two traits: curiosity and credulity.

Around 50% of the remaining breaches worldwide result from hacking - which utilises stolen or weak passwords (mostly obtained from breaches originating from phishing attacks) 80% of the time. For that sobering statistic, we can thank our third trait: complacency.

These three traits have been reliably leveraged by criminals since time immemorial. The difference between the scams of old and those of the digital age, though, is scaleability. Let’s take a look at phishing as an example of how cybercriminals are dialing up the damage.

Sophisticated cybercrime at scale

According to Symantec’s 2018 Internet Security Threat Report, a staggering 55% of all email is malicious. Every month, Origin’s Security Operations Centre prevents 20,000 malicious emails from reaching our clients’ inboxes. But even with strong technical controls in place, many hundreds of phishing attempts will inevitably hit the most vulnerable part of any network: the end users.

That’s because criminals are cooking up increasingly sophisticated techniques. Gone are the days of the Nigerian prince with more cash than sense - today’s mass phishing campaigns make use of stolen branding, legitimate-looking email copy, and fake websites. They’re frequently so slick that they succeed in tapping into the curiosity and credulity of even the most savvy end user.

Personalised attacks on the rise

Not all phishing attacks are conducted at scale, however. We’re seeing a dramatic increase in business email compromise (BEC) scams; highly personalised phishing attacks where the victim is persuaded to take a specific action, typically a payment or transfer of funds. In a recent example, an attacker posed as our customer’s CEO and emailed their CFO requesting an urgent funds transfer. The email was given a sense of authenticity by the use of information the attacker knew about the CEO, such as his writing style and the fact he was away at an overseas conference.

What’s at stake?

Hundreds of millions of dollars. BEC scams alone cost organisations around the world $676 million in 2017, according to the FBI’s Internet Crime Report; while large-scale phishing campaigns frequently harvest credentials, potentially compromising IP and customer data.

The Verizon 2018 DBIR reports that 92% of malware is delivered via email links and attachments. We’ve seen instances where malware delivered via phishing attacks spread to an organisation’s customers, resulting in significant brand damage. Imagine having to disclose to clients that it was one of your staff members who clicked a phishing link and opened Pandora’s box.

And now for the good news

Training your staff to overcome their natural human tendencies, and instead spot and report phishing attempts, is a cost effective and relatively easy way to strengthen your security defenses.

Origin Security’s Phriendly Phishing programme results in a dramatic decrease in the number of staff who click on any given phishing link - typically from a baseline of around 25-30%, down to less than 5% at the end of the first year. It’s one of the most effective steps you can take to quickly improve your security posture, regardless of the size of your organisation.

 

Find out more about Phriendly Phishing here.

Jason Wild

Information Security Consultant

Jason provides information security consulting as part of our vCISO offering. He has 29 years’ experience in the IT industry, with over 20 years in management and consulting roles.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.