Last week’s WannaCrypt0r ransomware attack once again demonstrated that corporations all over the world are extremely vulnerable to cyberattacks. The WannaCry ransomware epidemic caused chaos and saw car factories shutting down, hospitals turning away patients, and telecommunications companies struggling to regain control of their systems.
Despite the involvement of elite hacking tools stolen from the NSA by the Shadow Brokers, the reality is that the vast majority of successful WannaCry infections began with a spear-phishing email. Those were official looking emails designed to lure people into an infection. They are said to have included fake job offers, fake invoices, and fake security updates (among many others).
Last week’s well-publicized wave of attacks was certainly debilitating, but it is good that it has brought cybersecurity to the forefront of many people’s minds. Statistics demonstrate that firms are being hacked every day. The only difference is that those attacks are going unnoticed because they aren’t physically locking up computers.
A survey of 1,523 British businesses conducted by the UK’s Department for Culture, Media and Sport earlier this year, revealed that around half of UK businesses were hacked in 2016. Each of those attacks cost firms between £1,570 and £19,600. That is far more than the $60,000 estimated to have been stolen by WannaCrypt0r (despite it being so widespread).
The same is true in the US, where it is believed there was a 40% increase in cyberattacks on corporations from 2015 to 2016. Those are huge numbers, and yet it took the international scale of the WannaCrypt0r attack to truly send shockwaves around the world.
This is problematic, because in reality the unnoticed hacking is causing far more damage than last week’s attack. In fact, in some ways, WannaCrypt0r may have been a useful eye-opener for many firms.
Something Must Be Done
The threat of cyberattacks is somewhat existential, particularly when those attacks don’t appear to cause any obvious damage. However, it is the hacks that are stealing data, trade secrets, consumer information, and all other kinds of important corporate data, that are actually the most damaging.
What’s more, the vast majority of those daily attacks start in a very similar way to the WanaCrypt0r attack: with social engineering.
Social engineering is an extremely effective, low-tech method of initiating an attack vector. It is effective because it exploits arguably the biggest vulnerability in the security chain: people. An email with a link in it can deliver malware onto a system that then communicates with a Command and Control (C&C) server.
From that C&C server, a hacker can deliver more malevolent software onto the computer system, giving them more access and more abilities within the compromised system. At times, hackers have been known to turn on microphones in order to listen in on important meetings. On other occasions, it has been discovered that hackers were hanging around in systems for months (if not years) before they were discovered.
Vast Spending on Cybersecurity
Firms are aware of the problem, and in 2016 spending on cybersecurity hardware, software, and services rose to $73.7 billion. High-profile hacks like that of Talk Talk in the UK and Sony in the US (among many others), help to open people’s eyes. As a result, firms hire more and better information security officers and move forward with implementing essential systems like the SANS Institute ‘First Five.’
Unfortunately, despite spending money on robust firewalls and other security tools, firms still fall victim to hackers, often making them feel like they were just wasting money. That’s why it’s so important to balance cybersecurity technologies with good controls and education for staff members.
Hack Your Own
Insurance company IAG New Zealand understands the importance of this side of the problem and is being proactive about educating its staff. By rewarding staff members who spot potential threats, it has encouraged a culture of awareness. Making sure that staff are always on the lookout for potentially damaging emails thwarts the possibility of allowing malware through the firm’s firewall due to human error.
In addition, IAG has found a way to identify employees who are in need of more training, by sending them a phishing email once a month. Once a member of staff falls victim to the false spear phishing campaign, they are assigned urgent security training, to stop them falling victim to a real social engineering attack.
This is an excellent training tactic that is bound to work. After all, no one likes to be fooled once, never mind twice. Once a person has fallen victim to a phishing attack, they are far less likely to fall victim again – in order to avoid the embarrassment of being caught out once more. This becomes even truer when they receive training and are educated about what to look out for.
At IAG New Zealand, the firm has bolstered that tactic by implementing a slowly incrementing difficulty level to the phishing campaign. The training, the firm explains, has slowly been growing in complexity over the course of the months that it has been in place.
According to IAG director of cybersecurity Mark Knowles, at first the email was easy to spot. Once staff members had successfully been trained to deal with that easy hacking attempt, however, the firm pushed forward, slowly training all 3,500 members of its staff to become experts in spotting phishing emails.
With the increasing frequency with which elite hacking tools (like those stolen from the NSA, the CIA, and private firms like Italy’s Hacking Team) are being leaked to the internet, it is important for all businesses to take action. With that in mind, it is essential to ensure that they follow IAG’s example if they don’t want all those billions spent on cyber defense to be a total waste.
Small Businesses at Risk
It is not just large corporations that need to pay attention, either. Small businesses that don’t have an IT department are easy pickings for cybercriminals. A local pizza parlor, nail salon, or corner shop, might not have had the foresight to keep on top of updating its computer systems. Unfortunately, this puts those small enterprises at huge risk.
Six out of ten small businesses that suffer a severe cyberattack go out of business. This is a hugely troubling fact, and small business owners must make the effort to update their systems regularly, have a robust firewall in place, and use strong unique passwords if they want to survive. The good news is that with less staff it should be possible to ensure that computer systems are accessed only by trusted employees, who have been trained thoroughly to always think before opening an email.
Opinions are the writer’s own.
Title image credit: Rawpixel.com/Shutterstock.com
Image credit: Zephyr_p/Shutterstock.com, Trueffelpix/Shutterstock.com, LittileGallery/Shutterstock.com