There is a common misconception among organisations globally that having a ‘good’ security posture will keep their all-important business data safe and cyber criminals out. But what does ‘good’ really look like, and is it good enough?
Today’s threats target people, not infrastructure. So, while technical solutions and controls remain crucial in building a robust cyber defence, they are just one aspect of a broad and deep barrier against the latest threats.
Whether via malicious links, account compromise, or social engineering, threat actors are turning their attention to what, for many organisations, is the last line of defence. A last line that is often ill-prepared. Its people.
All it takes is one click, from one employee. No matter how robust your technical systems are, cyber criminals have just found their way into your organisation.
A new approach is required, particularly as we enter the new normal of remote working. An approach that puts people at the heart of cyber defence – ensuring employees are not just able to spot and deter attacks but are acutely aware of their role in keeping our organisations safe.
Navigating a new normal
With millions more employees working from home, outside the protections of the office environment, organisations worldwide have had their attack surfaces widen, leaving them more exposed to cyber threats during this global crisis than ever before.
Cybercriminals are all too aware of this fact and have wasted no time exploiting the opportunity.
Even before the global pandemic was officially declared, Proofpoint’s threat intelligence team uncovered large volumes of coronavirus-themed phishing attacks – from those offering a ‘cure’ to those gathering information to populate a ‘government database’. Now as global lockdown rules shift region-to-region, we expect to see attacks adapt and use lures surrounding the theme of office locations reopening, among others.
Whatever the lure used in an email-based attack, the goal is the same – to prey on human nature, the innate psychological traits shared by everyone. Using social engineering attacks, cybercriminals trick employees so they can steal credentials, siphon sensitive data, reroute pay checks and fraudulently transfer funds. No matter the technical solution in place, one click is all it takes for a cyber attack to be successful.
Dubbed the most expensive issue in cybersecurity, one method of email attack that has spiked in recent years is Business Email Compromise (BEC). BEC attacks are fast growing in popularity for two simple reasons – it works, and it pays. So much so that the FBI recently issued a Public Service Announcement estimating it to have cost global businesses around $26bn since 2016.
Behind such eyewatering statistics are real-world companies suffering real-world consequences.
Last year, Toyota Boshoku fell victim to the largest ever loss in a single reported attack. The Toyota subsidiary was duped by an imposter posing as a business partner and convinced to transfer $37m into a bogus account. More recently, in January of this year, Puerto Rico lost more than $4 million in three separate BEC attacks on its government agencies and only last month, Norway’s state-owned investment fund Norfund fell for an imposter email and transferred 100 million NOK (approximately $10m) to cyber criminals.
Building tomorrow’s defences today
When it comes to defending against BEC attacks, these exceptional circumstances have shown many organisations’ cyber defence to be anything but. Large remote workforces, increasingly reliant on email, have exposed a significant weak spot. One which many are failing to address.
People and email are the attack surface of choice for the modern cyber criminal. Most defence strategies do not reflect this. Despite over 90 percent of advanced threats stemming from email, just 10 percent of cybersecurity spending is focused in this area.
Those on the frontline suffer from a similar lack of investment.
The majority of organisations conduct less than two hours of cybersecurity training per year. Unfortunately, this is evident in the lack of threat awareness among end-users. Just 66 percent of the global workforce understand the term phishing, with only 31 percent familiar with ransomware.
This must change. We cannot expect our people to protect our organisations without equipping them with the tools and knowledge to do so.
Just as cyber criminals have taken this opportunity to hone their attacks, so too must we take this opportunity to hone our defence. We cannot build cybersecurity strategies on the principles of yesterday. Our strategies must reflect the threat landscape of today and be ready for the attacks of tomorrow.
This people-shaped gap in many cyber defences stems from a lack of awareness and education. Something many organisations are still failing to address.
Putting people at the heart of your defence
Email-based attacks were causing devastation long before the coronavirus pandemic and will continue to do so long after. However, the by-product of enforced mass remote working has presented an opportunity to examine the most common attacks we face – and the controls we put in place to defend against them.
An examination that was long overdue.
That network and endpoint security remains the primary area of focus for security teams, despite being far from the primary focus for cyber criminals, should cause concern.
It’s past time for a new way of thinking. The old tactic of defending the perimeter is obsolete. There is no longer a perimeter to defend. Our people are mobile, accessing corporate data from everywhere on all sorts of devices, networks and platforms outside of the traditional corporate network. People are at the heart of most cyber attacks. It is only logical to place them at the heart of cyber defence.
Detecting and deterring common threats requires a vigilant, knowledgeable workforce. One that is acutely aware of its role in keeping your organisation safe – and is well-informed of the consequences of failing to do so.
This can only result from ongoing, adaptive cybersecurity training. Training that goes beyond general awareness of common threats and instils in end users an understanding of how their behavior can be the difference between a successful attempt and a successful attack.
A ‘good’ cyber defence really isn’t good enough to protect against today’s dynamic threat landscape, as organisations globally continue to find out. Harming your business is the primary aim of cyber attackers. If defending it is not at the forefront of all users’ minds, there will only ever be one winner.
Martin Mackay, SVP, Proofpoint EMEA