Cybersecurity has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour.
While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated.
And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses.
If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas.
Three of the most commonly spotted areas are as follows:
Employees
Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time.
Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company.
At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data.
Customers
Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers.
Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed.
In fact a Netflix phishing scam was so bad, even the FTC issued a statement warning customers about it.
But phishing isn’t the only attack avenue against customers. Credential stuffing has also risen in popularity. This is where scammers take the passwords of users that have been disclosed in breaches, and use those credentials against other systems in the hope that users have reused passwords across different services.
Third Parties
Another avenue attackers target are third parties. This could be any company in the supply chain, or with whom the target has a business relationship with. The infamous Target breach of 2013 was conducted after attackers broke in via a HVAC company.
In a more recent incident, LocalBitcoins was targeted by attackers who were able to compromise the sites forums and redirect users to a phishing site from where they captured users credentials.
Recommendations
Cyber security is perhaps the most challenging game of whack-a-mole in existence. Where we plug one hole, the attackers move to another, easier to exploit hole. With this, we should look to continually move forward and proactively try and stop attackers new tactics becoming full-fledged epidemics.
To do so, enterprises need to have a consistent approach to not just user awareness, but also increase awareness for their customers, and 3rd party partners.
The most important things to consider would be:
-
Password reuse
Raise awareness of the dangers and risks associated with password reuse. Also provide tools or methods to help eliminate password reuse such as the use of password managers.
-
Clicking on links & opening attachments
While users within enterprises are getting some training on the dangers of clicking links or opening email attachments, this should extend to customers too. Establish good practices by avoiding sending links in emails, and asking users to navigate directly to the website to log onto their accounts.
-
Reporting issues
Finally, and perhaps most importantly is to have a simple and accessible way for both employees and customers to report any suspicious activity. Or indeed, report that they may have fallen victim to a scam by clicking on a link, opening an attachment, or sending sensitive information to a scammer.
