The cyber threat that software can't fix but you can

Cyber fraud is something we all think we are prepared for until it actually happens. As cloud becomes the primary location for data storage and organisations prepare for their transition to the metaverse, the possibility of succumbing to a cyberattack has never been greater.

That said, an organisation open to understanding its flaws and putting in place key preparedness measures can significantly limit the impact of any of any attack.  So what does that involve?

What is cyber fraud?

Cyber fraud happens when online hackers commit actions targeted at compromising personal, financial or other valuable types information stored online. The most common types of cyber fraud fall into four categories:

• Hacking – the unauthorised exploitation of vulnerabilities in a computer system or network.
• Phishing – using deceptive communication practices (email, phone, text, website chats) to gain access to a user's security or personal information.
• Malware – intrusive software designed to damage or destroy a computer system or network.
• DDOS attacks – flooding a website with traffic to disrupt the availability or functionality of the targeted system.

What's the biggest threat?

Despite films like 'The Matrix' and the 'Girl with the Dragon Tattoo' invoking images of hackers sitting in a dark room, filled with screens and lines of code, the biggest cyber threat to modern businesses in 2022 is the least technologically advanced – phishing attacks. 

Phishing attacks come in various shapes and sizes, with Fortinet identifying up to 19 sub-categories of attack! Don't worry, we're not going to go through each of them here. But what makes them so successful, and what is the actual biggest cyber threat, is a single common component – you! Or more specifically, the fact that you're a human.

Phishing attacks are so effective because they exploit the 'human element' of a business's operations, leveraging natural curiosity, impulsiveness, ambition and empathy. Although we may think "I'll never fall for that", it's important to remember that these cybercriminal organisations have become experts in manipulating the human element and anyone can fall victim, even some of the biggest names.

• Sony (€80m): In 2014, Sony Pictures reportedly lost €80m, when top executives (including the CEO) received phishing emails purportedly from Apple. After entering their ID verification on a dummy site, the attackers accessed a trove of information including employees' personal information and private messages, and information on unreleased films. It was later discovered that the attackers were tied to a state-sponsored North Korean group.
• Colonial Pipeline ($4.4m): In May 2021, the DarkSide gang used phishing attacks to gain access to an employee's password, and installed malware, which severely impacted the fuel supplier and millions of individuals who relied on it. The company paid the attackers $4.4 million for the decryption key, but the true cost of the attack was much more.

The human element extends beyond phishing emails

The human element goes far beyond phishing attacks and extends to mis-delivery and misconfiguration, or to put it another way – 'humans being humans' and making mistakes. Verizon's 2020 Data Breach Report ranked mis-delivery and misconfiguration as the most common causes of breach at the time. Some headline examples include:  

• hackers stealing over 100m records in a blockbuster attack on Capital One, caused by a misconfigured firewall.
• Hackers accessing over 24m user records from Lumin that had been left in MongoDB database, which hadn't been properly secured – meaning it was accessible by anyone online for months.

How to defend against the humans?

Researchers and analysts predict that 99 percent of data breaches will be user-driven, so the question becomes, what can we do?

Perry Carpenter – cybersecurity veteran, author and chief evangelist-security officer for KnowBe4 explains that the biggest challenge concerns the fact that "workers may be aware of the threats and risks, how they work and what they need to do to avoid them, but still fail to take the necessary actions to keep the company safe." As the UK's ICO recently commented on a similar theme when fining Interserve Group £4.4m for cybersecurity failings which compromised employee data: "the biggest cyber risk businesses face is not from hackers but from complacency within their company".

With this being the case, the most effective plan of attack is a multipronged strategy that engages employees and bridges the technical element of cybersecurity with the human element inherent in all members of the organisation.

• Education and training: Regular and mandatory training that engages the workforce is key to embedding a base of knowledge throughout your organisation and a sense of understanding and awareness of the potential fallout from cyber fraud. Here it's important to emphasise that training shouldn't stop at identifying suspicious emails, but as we learnt from the Capital One example, security affects all parts of the business and should extend to preventing mis-delivery and misconfiguration risks. As more and more organisations migrate to the cloud, training employees on the tenants of cloud security such as the shared responsibility model, will be a staple of any comprehensive and effective security training package in the future.
• Tools and communication: Preventing the threat reaching an employee in the first place is one of the most effective tools a company can employ, as it extracts the human element entirely. But where this cannot be achieved, tools for reporting potential cyber threats and educating employees on how to use them effectively, are key to protecting your organisation and your customer's data from potential hackers.
• Culture: What's worse than not knowing about an attack, is knowing and not doing anything about it. One of the biggest hurdles organisations will need to overcome is the 'I'm too smart to fall for that' mentality, which encourages employees not to report that phishing email that they definitely won't, but almost certainly do fall for. As stated above, hackers on the other end of these attacks are 'experts' in what they do and instilling a 'report first' culture, where employees put customer security above personal pride, is key to long term success and limiting the impact of successful attacks should they arise.
• Simulation and breach preparedness: The old saying goes that 'there's nothing quite like the real thing', but in the world of cybersecurity we can get very close. Simulated breaches are one of the most effective ways of assessing your organisation's current level of breach preparedness. Not only are these sessions enjoyable for us to run, but clients gain genuine and practical insights from their business's response. They can leave with a comprehensive understanding of where they excel, and where they need to improve their breach response plan should an actual attack materialise in the future.

What can you do now?

It's important to remember that tackling cyber threats and in particular the 'human element', is not a tick box exercise, but something that organisations need to think about in the long term.

The amount of budget you dedicate and the preventative steps you take, will ultimately depend on the size of your business, your resources, type of users and amount of personal data you hold.

One thing everyone can do right now is dig out and review your breach preparedness plan, ensure that the key contacts are up to date and the plan makes sense for the business as currently constructed. And if you don’t have a plan in place, it's time to consider putting this together, a great place to start is our Global Data Hub and if you want some more information or want to enquire about the breach preparedness services we offer, we are only an email away – just don't start the email by asking for my mother's maiden name.

We look forward to hearing from you.