As cybercrime continues to skyrocket with no signs of slowing, it’s no surprise that hackers are honing their skills to become smarter and pull off more sophisticated attacks than ever before. And thanks to the pandemic, cybercriminals have been granted the perfect storm to exploit businesses and individuals with weak infrastructure and underdeveloped security strategies.
But what if the media’s discursive framing around threat and ‘sophistication’ is actually causing more harm than good? It starts with the misconception that all cyber attacks are sophisticated, says Lauri Almann, co-founder of CybExer Technologies.
Tracing the source of this misconception is not easy, especially given that discourse in the media focuses on the battle of large corporations against severe intelligence breaches on specific networks. Large scale attacks like the T-mobile customer data breach and the Colonial Pipeline ransomware attack from earlier this year go some way in exacerbating perceptions around the state of the cyber ‘crisis’. The statistics don’t help either, with reports suggesting that phone and text fraud increased by 83% during the pandemic, and organisations experiencing a 29% increase in the number of cyber attacks globally.
Companies have become increasingly accustomed to positioning any attack they suffer as extremely serious and sophisticated. In fact, it actually makes sense that they do – after all, what would customers think of a company that leaves ‘low-hanging fruit’ for cyber criminals to take advantage of?
The truth behind the state of cyber in enterprise is actually that the hackers who pose the most immediate threat to your businesses are, in reality, not likely to be sophisticated in their approach at all. Ironically, to be successful, hackers do not need to apply the most advanced techniques.
In 2018, for example, British Airways claimed that it had been the victim of a ‘sophisticated’ attack. But analysts concluded that the exploitative method used was a mere injection of e-skimming codes – a classic tactic used by cybercriminals to detect insecure website components to inject new lines of code into, changing the site’s behaviour.
Contrary to popular discourse, cyber disasters cannot be measured merely by sophistication.
Often the most alarming attacks can be low-level phishing emails that entice people to open malicious attachments – a method which has become so easily-exploitable. Businesses should be alert to evolving techniques used by scammers, but they must not negate lower level threats.
While a number of attacks rely on known software vulnerabilities, an overwhelming majority of campaigns require some level of human input to get underway. Such interactions are the entry point to more devious acts.
Low level scammers are simply experts in deceit, but the most effective when it comes to hurting your business. Why? Because you don’t see them coming.
Readers of the Guardian and Observer have reported losing more than £1m (€1.19m) to fraud as an epidemic of scams sweeps the country in the form of HMRC impersonations, phishing emails and the likes. Already high levels of vulnerability increased significantly with the onset of Covid-19 as people were forced to digitise. Many people were not confident using new platforms, and many more were susceptible to acting on malicious requests that mentioned vaccines and isolation due to anxieties about protocol.
Ultimately, underpinning these targeted campaigns is a willingness to try one’s luck, and success relies on innocent clicks.
Banks are facing a particularly difficult challenge, with harrowing statistics merging, such as £355m (€421.74m)being lost to authorised push payment fraud in the UK.
While banks do reimburse individuals in cases of fraudulent transfers, this creates a paradoxical challenge for them, as they are simultaneously trying to educate people on how to stay diligent online. Payouts avoid the route of the problem, since people are the weak link when it comes to cyber security, and a lack of accountability emerges where consumers don’t lose out.
This poses a wider question about why businesses choose to ignore consumer behaviours when composing their own cyber strategies and focus instead on spending their budget training IT teams alone. Employees at every level of a company can be targeted by scams, and the statistics prove those outside of the IT department are likely to be any businesses achilles heel.
Cyber criminals may be getting smarter, but the problem remains the same, if people are not equipped with practical knowledge, avoidable low-level phishing attacks will continue to occur and ironically remain the most harmful.
Misconception vs reality
At the most basic level, unethical hackers that sit behind screens are focused on getting us to intentionally click on something ‘favourable’ or ‘interesting’, which then unleashes a booby trap on unsuspecting people. Cybersecurity cannot be limited to the realm of ‘professionals’, but concerns all people everywhere; it is a human problem which requires a human solution.
The best way to tackle this problem is to teach safe cybersecurity through practice, not theory.
A democratising push to educate people on threat and response in cyberspace is necessary if we are to counter the very core of cyber insecurity.
Indeed, training must be available to all – a business’ cyber strategy should involve basic, practical training for everyone down to their interns and receptionists.
Call to arms – companies, we need you
And it’ll take a top down approach to cure the variable of cyber uncertainty. Assembling a team of cyber-attack response units equipped with the necessary threat hunting tools and experience is crucial. In addition, every company must have their own cyber security training programmes, which give employees the skills to know when they are being attacked. Cyber attackers are constantly evolving their techniques so a company’s first responders must be its people.
Without this, the consequences of initial mistakes can be severe. One famous example was the ransomware case of CWT Global, who in July 2020, in a chatroom was made to pay $4.5 million (€3.98 million) in Bitcoin to the Ragnar Locker gang. Another being the phishing attack against Ireland’s Health Executive Services, when an employee was lured into clicking a link because their computer had stopped working properly. $20 million (€17.68 million) in ransom was demanded. They refused to pay out, however.
Even without the most advanced technical capacities, scammers will manage to exploit data reserves, sell illicit material on the dark web and commit identity fraud. Businesses therefore cannot afford to neglect tackling the more unsophisticated cybercrimes – for this will be their greatest nemesis in years to come.
One of the most important elements in cyberstrategy is the power to arm your team with the knowledge that strange attachments can be serious and have severe consequences.
The author is Lauri Almann, co-founder of CybExer Technologies
Follow us and Comment on Twitter @TheEE_io