You may have just discovered Slack, Jabber, Teams, or some other enterprise communications solution, but it’s too early to bury your Outlook. The proof? Email phishing increased by over 31% year over year in 2022’s third quarter alone! Those carrying malware tripled. And the common denominator to all the attacks is—of course—people, your weakest link! Your employees, your partners, suppliers, contractors… even your clients.
According to Charlotte Trueman at CSO, the large majority of the attacks use spoofing—impersonating well-known brands or company executives—to coerce a target to click on a phishing link. And, if once, scammers spread their net wide, now they usually target their victim more precisely, personalizing the bait. Frighteningly, the rate of attacks on the global level has remained stable and even fell in Q3 compared to the previous quarter. And yet, the rate of industrial attacks is rising, with 68% of ransomware attacks targeting the US manufacturing sector.
One reason is the post-covid shift to hybrid work, on one hand, and the lockdown online shift of supply chain administration. Another, according to Dark Reading’s Stephan Banda—regardless of the pandemic—is that more and more companies are moving their operations into the cloud. Various aaS providers will now host almost all administrative, operations and, in the case of high-tech companies, even product. For a small business, this is heaven-sent, since it means less investment in swiftly developing tech, bricks&mortar infrastructures (rent and upkeep), and often even downsized staff.
However, it also increases the attack surface considerably. If you once had to go to the office, now, your company’s data is available everywhere and on almost any size device. Unfortunately, the security mindset remains local: you secure the company’s computers, but not your employee’s mobile phone.
Considering the cost
Large corporations will spend upwards of a million dollars per year to mitigate phishing attacks, according to the latest reports. That includes the cost of fixing the damage, eliminating the threat and preventing it in the future. Multiply that by the thousands of phishing emails such a large-scale organisation receives every day, either directly or through an external agent or employee. Its IT department may sometimes spend a third of its resources on dealing with phish.
The biggest problem with phishing mails is that they adapt—changing slightly with each new version improving to avoid the pitfalls its previous version encountered. This means that creating algorithms to identify them is a never-ending game of catch-up. Second, the threats are often hidden—ransomware embedded deeper through chained links, phishing pages disguised as web-imitating popups. Finally, compromised email addresses that are marketed on the dark web will usually escape identification.
Then, of course, there is that multitude of links sent by social channels and those seemingly-safe enterprise communications environments.
The enemy without
All this would be relatively moot if the criminals themselves were answerable to the law. After all, military units foster a rich bed of talented cyber fighters, and crime-fighting agencies are seeing their budgets grow exponentially. Unfortunately, the character of cybercrime is that it is non-localized. An American corporation can be attacked from Russia, China, or Nigeria. They are outside the jurisdiction of the FBI, the CIA, and other alphabetized supra-entities. In fact, many of them operate under the protection and with the blessing of their local tax collector.
Perhaps due to the global dimensions of the threat, many smaller businesses and individuals do not yet take the threat of cybercrime seriously, according to retired FBI agent Scott Augenbaum. Law enforcement won’t even deal with a case of cybertheft valued at less than $50,000 loss, he claims. And so it’s up to behavior changes. Augenbaum doesn’t understand, for example, why multi-factor authentication isn’t more commonly used, for example. Other behavior patterns, such as password cycling and offline storage aren’t as deeply integrated as they should be.
A month is never enough
Every October since 2004, the cyber community “celebrates” cybersecurity awareness month. This year, Cybercrime Magazine featured an interview with Paul Connelly—CSO of a Fortune100 healthcare provider servicing and administrating over 182 hospitals and 2,300 sites. As one of the prime targets for modern-day cyberthugs, the healthcare industry is expected to spend $125 billion on cybersecurity during this 5-year period. The question is always how to spend it. Connelly believes in cooperative cross-industry efforts and investing in newcomers, rather than relying on past experience—which often has little bearing the following day.
Training, though important, must be undertaken carefully. Apparently, 84% of security experts polled say they’d been phished in the past 12 months, despite 98% of them having carried out training in the previous year. Clearly, generic training is insufficient.
Lance Whitney in TechRepublic suggests tailored training. To begin with, success should be measured—not in training attendance—but rather should be result-oriented. It should be adapted to the individual’s role, seniority, and past behavior. Graduates should be able to display proper password hygiene, email classification abilities, and “avoiding general human errors”. And, cybersec managers should execute real-time interventions, such as spot tests and automated banners or push notifications on incoming and outgoing communiqués.
Back to Basics
Torsten George, in SecurityWeek, harks back to basic zero-trust measures: don’t let anyone into your system, not even known users, without verification and validation. A Ponemon report actually states that 68% of breaches were through company-administered endpoint devices affecting 51% of companies polled! In fact, he states that companies must refocus their efforts (and cash) towards an “embrace the breach” disruption-management strategy. The flaws will always exist, so the best a company can do is be prepared. They should adopt strategies that prevent operations disruption, guards data integrity, and maintains business operations even when under attack.
Unfortunately, the smaller the company, the lower its resilience. And for an individual, this approach can be critical. SMBs and private individuals will continue to be dependent upon their own vigilance and whatever affordable off-the-rack technology that the market can offer them.
Perhaps it’s time to head over to the AppStore and see if novoShield satisfies your needs.
Part 2 – Social Media Cybercrime – the State of the Art
Part 3 – The Social Pit